Analytics Story: ProxyNotShell
Description
Two new zero day Microsoft Exchange vulnerabilities have been identified actively exploited in the wild - CVE-2022-41040 and CVE-2022-41082.
Why it matters
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. The first vulnerability, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, while the second, identified as CVE-2022-41082, allows remote code execution (RCE) when PowerShell is accessible to the attacker. Originally identified by GTSC monitoring Exchange, some adversary post-exploitation activity was identified and is tagged to this story.
Correlation Search
ProxyShell ProxyNotShell Behavior Detected
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories FROM datamodel=Risk.All_Risk
2 WHERE All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
3 OR
4 (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
5 AND
6 All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system"
7 BY _time span=1h All_Risk.risk_object
8 All_Risk.risk_object_type
9| `drop_dm_object_name(All_Risk)`
10| `security_content_ctime(firstTime)`
11| `security_content_ctime(lastTime)`
12| where source_count >=5
13| `proxyshell_proxynotshell_behavior_detected_filter`
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 1 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
| Powershell Script Block Logging 4104 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| Windows IIS | Windows |
IIS:Configuration:Operational |
IIS:Configuration:Operational |
| Sysmon EventID 11 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://twitter.com/cglyer/status/1575793769814728705?s=20&t=67gq9xCWuyPm1VEm8ydfyA
- https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html
- https://twitter.com/GossiTheDog/status/1575762721353916417?s=20&t=67gq9xCWuyPm1VEm8ydfyA
- https://research.splunk.com/stories/proxyshell/
- https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
- https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
Source: GitHub | Version: 2