Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

ProxyLogon MSExchange OabVirtualDirectory

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Mon Aug 09Updated Mon Jan 23550d3350-bb8a-4ff3-9533-2ba533f4a1c0windows
Log Source
Windowsmsexchange-management
ProductWindows← raw: windows
Servicemsexchange-management← raw: msexchange-management
Detection Logic
Detection Logic2 selectors
detection:
    keywords_cmdlet:
        '|all':
            - 'OabVirtualDirectory'
            - ' -ExternalUrl '
    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
    condition: keywords_cmdlet and keywords_params
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
bi-zone.medium.com
MITRE ATT&CK

Sub-techniques

T1587.001 · Malware
Rule Metadata
Rule ID
550d3350-bb8a-4ff3-9533-2ba533f4a1c0
Status
test
Level
critical
Type
Detection
Created
Mon Aug 09
Modified
Mon Jan 23
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/msexchange/win_exchange_proxylogon_oabvirtualdir.yml
Raw Tags
attack.t1587.001attack.resource-development
View on GitHub