From 8ce3783394d06ea752b93247c3b861be26d8910b Mon Sep 17 00:00:00 2001 From: Michael Haag <5632822+MHaggis@users.noreply.github.com> Date: Thu, 16 Jan 2025 10:02:05 -0700 Subject: [PATCH] Update windows_exchange_autodiscover_ssrf_abuse.yml - Updated detection description to better explain ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) attack patterns - Enhanced search query: - X-Rps-CAT parameter - Suspicious user agent strings --- ...ndows_exchange_autodiscover_ssrf_abuse.yml | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml index 233ca0702a..92afbf59eb 100644 --- a/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml +++ b/detections/web/windows_exchange_autodiscover_ssrf_abuse.yml @@ -1,14 +1,24 @@ name: Windows Exchange Autodiscover SSRF Abuse id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752 -version: 3 -date: '2024-09-30' +version: 4 +date: '2025-01-16' author: Michael Haag, Nathaniel Stearns, Splunk status: production type: TTP -description: The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network. +description: This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server. The detection focuses on identifying the SSRF attack patterns used in these exploit chains. The analytic monitors for suspicious POST requests to /autodiscover/autodiscover.json endpoints that may indicate attempts to enumerate LegacyDN attributes as part of initial reconnaissance. It also detects requests containing X-Rps-CAT parameters that could indicate attempts to impersonate Exchange users and access the PowerShell backend. Additionally, it looks for MAPI requests that may be used to obtain user SIDs, along with suspicious user agents (particularly Python-based) commonly used in automated exploit attempts. If successful, these attacks can lead to remote code execution as SYSTEM, allowing attackers to deploy webshells, access mailboxes, or gain persistent access to the Exchange server and potentially the broader network environment. data_source: - Windows IIS -search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")` | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0) | eval powershell = if(match(lower(uri_query),"powershell"), "1",0) | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`' +search: ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent + | `drop_dm_object_name("Web")` + | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover/autodiscover.json%"),1,0) + | eval has_rps_cat=if(like(lower(uri_query),"%x-rps-cat=%"),1,0) + | eval exchange_backend=if(like(lower(uri_query),"%/powershell/?%"),1,0) + | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) + | eval suspicious_agent=if(match(lower(http_user_agent), "python|urllib"),1,0) + | addtotals fieldname=Score is_autodiscover, has_rps_cat, exchange_backend, mapi, suspicious_agent + | where Score >= 3 + | fields Score, src, dest, status, uri_query, uri_path, http_method, http_user_agent + | `windows_exchange_autodiscover_ssrf_abuse_filter`' how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed. known_false_positives: False positives are limited. references: @@ -21,6 +31,7 @@ references: - https://docs.splunk.com/Documentation/AddOns/released/MSIIS - https://highon.coffee/blog/ssrf-cheat-sheet/ - https://owasp.org/Top10/A10_2021-Server-Side_Request_Forgery_%28SSRF%29/ +- https://m365internals.com/2022/10/18/hunting-and-responding-to-proxyshell-attacks/ drilldown_searches: - name: View the detection results for - "$dest$" search: '%original_detection_search% | search dest = "$dest$"'