Emerging Threatcriticaltest
OWASSRF Exploitation Attempt Using Public POC - Webserver
Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nasreddine Bencherchali (Nextron Systems)Created Thu Dec 22Updated Mon Jan 0292d78c63-5a5c-4c40-9b60-463810ffb0822022
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver
HTTP access logs from web servers capturing request paths, methods, and status codes.
Detection Logic
Detection Logic1 selector
detection:
selection:
# Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com
cs-user-agent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36'
cs-method: 'POST'
sc-status: 200
cs-uri-query|contains|all:
- '/owa/mastermailbox'
- '/powershell'
condition: selectionFalse Positives
Unlikely
False positives are unlikely for most environments. High confidence detection.
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
92d78c63-5a5c-4c40-9b60-463810ffb082
Status
test
Level
critical
Type
Emerging Threat
Created
Thu Dec 22
Modified
Mon Jan 02
Path
rules-emerging-threats/2022/Exploits/CVE-2022-41082/web_cve_2022_36804_exchange_owassrf_poc_exploitation.yml
Raw Tags
attack.initial-accessattack.t1190detection.emerging-threats