You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: detections/web/windows_exchange_autodiscover_ssrf_abuse.yml
+15-4Lines changed: 15 additions & 4 deletions
Original file line number
Diff line number
Diff line change
@@ -1,14 +1,24 @@
1
1
name: Windows Exchange Autodiscover SSRF Abuse
2
2
id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752
3
-
version: 3
4
-
date: '2024-09-30'
3
+
version: 4
4
+
date: '2025-01-16'
5
5
author: Michael Haag, Nathaniel Stearns, Splunk
6
6
status: production
7
7
type: TTP
8
-
description: The following analytic detects potential abuse of the ProxyShell or ProxyNotShell vulnerabilities in Microsoft Exchange via Server Side Request Forgery (SSRF). It leverages the Web datamodel to identify suspicious POST requests with specific URI paths and queries related to autodiscover, powershell, and mapi. This activity is significant as it may indicate an attempt to exploit Exchange server vulnerabilities to access internal services or sensitive data. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or further compromise of the network.
8
+
description: This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server. The detection focuses on identifying the SSRF attack patterns used in these exploit chains. The analytic monitors for suspicious POST requests to /autodiscover/autodiscover.json endpoints that may indicate attempts to enumerate LegacyDN attributes as part of initial reconnaissance. It also detects requests containing X-Rps-CAT parameters that could indicate attempts to impersonate Exchange users and access the PowerShell backend. Additionally, it looks for MAPI requests that may be used to obtain user SIDs, along with suspicious user agents (particularly Python-based) commonly used in automated exploit attempts. If successful, these attacks can lead to remote code execution as SYSTEM, allowing attackers to deploy webshells, access mailboxes, or gain persistent access to the Exchange server and potentially the broader network environment.
9
9
data_source:
10
10
- Windows IIS
11
-
search: '| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query | `drop_dm_object_name("Web")` | eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0) | eval powershell = if(match(lower(uri_query),"powershell"), "1",0) | eval mapi=if(like(uri_query,"%/mapi/%"),1,0) | addtotals fieldname=Score is_autodiscover, powershell, mapi | fields Score, src,dest, status, uri_query,uri_path,http_method | where Score >= 2 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `windows_exchange_autodiscover_ssrf_abuse_filter`'
11
+
search: ' | tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query Web.http_user_agent
how_to_implement: To successfully implement this search you need to be ingesting information on Web traffic, Exchange OR IIS logs, mapped to `Web` datamodel in the `Web` node. In addition, confirm the latest CIM App 4.20 or higher is installed.
13
23
known_false_positives: False positives are limited.
0 commit comments