YARA rules · CVE-2022-41040 · threatengine.sh

Home/CVE-2022-41040/YARA rules

YARA

YARA rules for CVE-2022-41040

5 rules · scoped to cve · back to CVE-2022-41040

YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.

◈

YARA rules

5 of 5

direct LOG

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1

Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1 {
   meta:
      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
      date = "2022-12-22"
      score = 70
      id = "a61f6582-474f-5b6f-b8f5-329c0bcc4017"
   strings:
      $s1 = "/owa/mastermailbox%40outlook.com/powershell" ascii wide

      $sa1 = " 200 " ascii wide
      $sa2 = " POST " ascii wide

      // based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
      $fp1 = "ClientInfo" ascii wide fullword
      $fp2 = "Microsoft WinRM Client" ascii wide fullword
      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
   condition:
      all of ($s*) and not 1 of ($fp*)
}

direct LOG

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2

Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2 {
   meta:
      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
      date = "2022-12-22"
      score = 60
      id = "85722997-fd28-51cf-817e-7a314e284b0b"
   strings:
      $sr1 = / \/owa\/[^\/\s]{1,30}(%40|@)[^\/\s\.]{1,30}\.[^\/\s]{2,3}\/powershell / ascii wide

      $sa1 = " 200 " ascii wide
      $sa2 = " POST " ascii wide

      // based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
      $fp1 = "ClientInfo" ascii wide fullword
      $fp2 = "Microsoft WinRM Client" ascii wide fullword
      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
   condition:
      all of ($s*)
      and not 1 of ($fp*)
}

direct LOG

EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3

Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3 {
   meta:
      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
      date = "2022-12-22"
      score = 60
      id = "76dd786e-daaa-5cd9-8e3e-50d9eab7f9d2"
   strings:
      $sa1 = " POST /powershell - 444 " ascii wide
      $sa2 = " POST /Powershell - 444 " ascii wide
      $sb1 = " - 200 0 0 2" ascii wide

      // based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
      $fp1 = "ClientInfo" ascii wide fullword
      $fp2 = "Microsoft WinRM Client" ascii wide fullword
      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
   condition:
      1 of ($sa*) and $sb1 and not 1 of ($fp*)
}

direct LOG

EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1

Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1 {
   meta:
      description = "Detects traces of exploitation activity in relation to ProxyNotShell MS Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/"
      date = "2022-12-22"
      modified = "2023-01-26"
      score = 70
      id = "5af3ae70-8897-593f-a413-82ca1d1ba961"
   strings:
      $re1 = /,\/[Pp][Oo][Ww][Ee][Rr][Ss][Hh][Ee][Ll][Ll][^\n]{0,50},Kerberos,true,[^\n]{0,50},200,0,,,,[^\n]{0,2000};OnEndRequest\.End\.ContentType=application\/soap\+xml charset UTF-8;S:ServiceCommonMetadata\.HttpMethod=POST;/ ascii wide

      // based on filters found in CrowdStrikes script https://github.com/CrowdStrike/OWASSRF/blob/main/Rps_Http-IOC.ps1
      $fp1 = "ClientInfo" ascii wide fullword
      $fp2 = "Microsoft WinRM Client" ascii wide fullword
      $fp3 = "Exchange BackEnd Probes" ascii wide fullword
   condition:
      $re1 and not 1 of ($fp*)
}

direct LOG

LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22

Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers

author Florian Roth (Nextron Systems) license see source repo

view YARA rule

rule LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 {
   meta:
      description = "Detects logs generated after a successful exploitation using the PoC code against CVE-2022-41040 and CVE-2022-41082 (aka ProxyNotShell) in Microsoft Exchange servers"
      author = "Florian Roth (Nextron Systems)"
      reference = "https://github.com/testanull/ProxyNotShell-PoC"
      date = "2022-11-17"
      score = 70
      id = "1e47d124-3103-5bf5-946f-b1bb69ff2c8e"
   strings:
      $aa1 = " POST " ascii wide
      $aa2 = " GET " ascii wide

      $ab1 = " 200 " ascii wide

      $s01 = "/autodiscover.json x=a" ascii wide
      $s02 = "/autodiscover/admin@localhost/" ascii wide
   condition:
      1 of ($aa*) and $ab1 and 1 of ($s*)
}

Showing 1-5 of 5

Prev 1 Next

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin