CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell

**UPDATE** A new method for bypassing ProxyNotShell mitigations was found after being seen exploited in the wild by the Play ransomware gang. While the original exploit took advantage of the Autodiscover endpoint, the new exploit is using the OWA endpoint leading to SSRF. The OWASSRF exploit method involves two different vulnerabilities tracked by CVE-2022-41080 and CVE-2022-41082 that allow remote code execution (RCE) via Outlook Web Access (OWA). This playbook introduces several updates in response to the new discovery: - Hunting: - Detecting possibly successful exploitation of the OWA SSRF vulnerability. - Mitigations: - IIS URL Rewrite rule for the modified exploitation URI path. - Remediation: - Block Indicators - Generic v3 playbook. Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. This playbook includes the following tasks: * Collect detection rules, indicators and mitigation tools. * Exploitation patterns hunting using Cortex XDR - XQL Engine. * Exploitation patterns hunting using 3rd party SIEM products: * Azure Sentinel * Splunk * QRadar * Elasticsearch * Indicators hunting using: * PAN-OS * Splunk * QRadar * Provides Microsoft mitigation and detection capabilities. **More information:** [Threat Brief: OWASSRF Vulnerability Exploitation](https://unit42.paloaltonetworks.com/threat-brief-OWASSRF/) [Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)](https://unit42.paloaltonetworks.com/proxynotshell-cve-2022-41040-cve-2022-41082/) **References:** [OWASSRF: CrowdStrike Identifies New Exploit Method for Exchange Bypassing ProxyNotShell Mitigations](https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/) [Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) [Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) [WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html) [ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9) **Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell · 76 tasks · 9 inputs · 0 outputs

Inputs

  • CVEs — The vulnerabilities CVE indicators.
  • SplunkIndex — Splunk's index name in which to search. The default is "*" - All.
  • SplunkEarliestTime — Splunk's earliest time to search.
  • SplunkLatestTime — Splunk's latest time to search.
  • ElasticIndex — Elastic's index name in which to search. The default is "winlogbeat-*" - All.
  • QRadarTimeRange — QRadar's query time range.
  • RunXQLHuntingQueries — Whether to execute the XQL queries.
  • XQLHuntingQueriesType — Whether to execute the ProxyNotShell or OWASSRF XQL queries or both. * Use 'ProxyNotShell' as an input to execute ProxyNotShell queries * Use 'OWASSRF' as an input to execute OWASSRF queries * Use 'Both' as an input to execute both ProxyNotShell and OWASSRF queries
  • PlaybookDescription — The playbook's description.

Commands used

associateIndicatorsToIncident azure-log-analytics-execute-query closeInvestigation createNewIndicator extractIndicators qradar-search-create qradar-search-results-get search splunk-search xdr-xql-generic-query

Flowchart

Yes yes No Yes yes yes yes yes yes yes yes QRadar v2 QRadar v2 QRadar v2 QRadar v3 QRadar v3 QRadar v3 Yes Yes Yes Yes Yes Yes Both OWASSRF ProxyNotShell Start Start China Chopper webshell detection - http China Chopper webshell de... http Collect Detection Rules Collect Detection Rules Threat Hunting Threat Hunting SIEM Advanced Hunting SIEM Advanced Hunting Detect suspicious ASPX file dropped by Exchange - splunk-search Detect suspicious ASPX fi... splunk-search Detect suspicious ASPX file dropped by Exchange - QRadarFullSearch Detect suspicious ASPX fi... QRadarFullSearch Detect Chopper Webshell process pattern - search Detect Chopper Webshell p... search Cortex XDR - XQL Hunting Queries Cortex XDR - XQL Hunting ... Should run XQL hunting queries? Should run XQL hunting qu... Check if Cortex XDR - XQL Query Engine is Enabled Check if Cortex XDR - XQL... Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Remediation Remediation Recommended Workarounds Recommended Workarounds Deploy Detection Rules Deploy Detection Rules Detect certutil netcons to public IP addresses - xdr-xql-generic-query Detect certutil netcons t... xdr-xql-generic-query Exchange On-premises Mitigation Tool v2 - HttpV2 Exchange On-premises Miti... HttpV2 Sigma Rules Sigma Rules Analysis resolution - Should continue with the investigation? Analysis resolution - Sho... Done Done Investigate Further Investigate Further Close Investigation - closeInvestigation Close Investigation closeInvestigation Resolution Resolution Detect Chopper Webshell process pattern - splunk-search Detect Chopper Webshell p... splunk-search Detect DLL and EXE writes to Public folder on Exchange/IIS hosts - xdr-xql-generic-query Detect DLL and EXE writes... xdr-xql-generic-query Collect Indicators Collect Indicators Extract Indicators Extract Indicators Extract Indicators From Data Collected - extractIndicators Extract Indicators From D... extractIndicators Tag and Link Indicators Tag and Link Indicators Link Indicators To Incident - associateIndicatorsToIncident Link Indicators To Incident associateIndicatorsToIncident Tag File indicators - createNewIndicator Tag File indicators createNewIndicator Tag CVE indicators - createNewIndicator Tag CVE indicators createNewIndicator Tag Domain indicators - createNewIndicator Tag Domain indicators createNewIndicator Detect Chopper Webshell process pattern - QRadarFullSearch Detect Chopper Webshell p... QRadarFullSearch Webshell dropped by exchange detection - http Webshell dropped by excha... http Tag IP indicators - createNewIndicator Tag IP indicators createNewIndicator Tag URL indicators - createNewIndicator Tag URL indicators createNewIndicator Detect suspicious ASPX file dropped by Exchange - search Detect suspicious ASPX fi... search Is Azure Log Analytics Enabled? Is Azure Log Analytics En... Detect Exchange SSRF Autodiscover ProxyShell - azure-log-analytics-execute-query Detect Exchange SSRF Auto... azure-log-analytics-execute-q... Detect Exchange server suspicious file downloads - azure-log-analytics-execute-query Detect Exchange server su... azure-log-analytics-execute-q... Detect Exchange worker process making remote call - azure-log-analytics-execute-query Detect Exchange worker pr... azure-log-analytics-execute-q... Detect suspicious ASPX file dropped by Exchange - azure-log-analytics-execute-query Detect suspicious ASPX fi... azure-log-analytics-execute-q... Detect Exchange IIS worker dropping webshell - azure-log-analytics-execute-query Detect Exchange IIS worke... azure-log-analytics-execute-q... Detect Chopper Webshell process pattern - azure-log-analytics-execute-query Detect Chopper Webshell p... azure-log-analytics-execute-q... Cortex XDR Advanced Hunting Cortex XDR Advanced Hunting Azure Sentinel Advanced Hunting Azure Sentinel Advanced H... Detection of China Chopper webshell activity - xdr-xql-generic-query Detection of China Choppe... xdr-xql-generic-query Detect suspicious files in Exchange directories - xdr-xql-generic-query Detect suspicious files i... xdr-xql-generic-query Download Mitigation Tools Download Mitigation Tools Mitigate IIS URL Rewrite - ProxyNotShell Mitigate IIS URL Rewrite ... Is QRadar Enabled? Is QRadar Enabled? Is Splunk Enabled? Is Splunk Enabled? Is Elasticsearch Enabled? Is Elasticsearch Enabled? Set Rapid Breach Response Layout Set Rapid Breach Response... Rapid Breach Response - Set Incident Info - Rapid Breach Response - Set Incident Info Rapid Breach Response - S... Rapid Breach Response - Set I... Detect Chopper Webshell process pattern - qradar-search-create Detect Chopper Webshell p... qradar-search-create Detect suspicious ASPX file dropped by Exchange - qradar-search-create Detect suspicious ASPX fi... qradar-search-create QRadar fetch query results - qradar-search-results-get QRadar fetch query results qradar-search-results-get PAN-OS Query Logs For Indicators - PAN-OS Query Logs For Indicators PAN-OS Query Logs For Ind... PAN-OS Query Logs For Indicators Detect a possibly successful ProxyNotShell bypass attempt. - splunk-search Detect a possibly success... splunk-search Detect a possibly successful ProxyNotShell bypass attempt. - search Detect a possibly success... search Detect a possibly successful ProxyNotShell bypass attempt - QRadarFullSearch Detect a possibly success... QRadarFullSearch Detect a possibly successful ProxyNotShell bypass attempt. - qradar-search-create Detect a possibly success... qradar-search-create Detect possibly successful ProxyNotShell bypass - OWASSRF - azure-log-analytics-execute-query Detect possibly successfu... azure-log-analytics-execute-q... Mitigate IIS URL Rewrite - OWASSRF - ProxyNotShell bypass Mitigate IIS URL Rewrite ... Block Indicators - Generic v3 - Block Indicators - Generic v3 Block Indicators - Generi... Block Indicators - Generic v3 Collect indicators from SOCRadar - ParseHTMLIndicators Collect indicators from S... ParseHTMLIndicators Collect indicators from PANW Unit42 - ParseHTMLIndicators Collect indicators from P... ParseHTMLIndicators ProxyNotShell XQL Queries ProxyNotShell XQL Queries Choose which XQL queries to execute Choose which XQL queries ... OWASSRF XQL Queries OWASSRF XQL Queries Detect w3wp.exe suspicious child processes - xdr-xql-generic-query Detect w3wp.exe suspiciou... xdr-xql-generic-query Detect w3wp.exe spawning PowerShell with 'frombase64string' in the command-line - xdr-xql-generic-query Detect w3wp.exe spawning... xdr-xql-generic-query ProxyNotShell & OWASSRF XQL Queries ProxyNotShell & OWASSRF X...