Techniques
Sample rules
Windows Exchange Autodiscover SSRF Abuse
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic utilizes the Web datamodel and identifies the ProxyShell or ProxyNotShell abuse. This vulnerability is a Server Side Request Forgery (SSRF) vulnerability, which is a web vulnerability that allows an adversary to exploit vulnerable functionality to access server side or local network services by affectively traversing the external firewall using vulnerable web functionality. This analytic looks for the URI path and query of autodiscover, powershell and mapi along with a POST occurring. It will tally a simple score and show the output of the events that match. This analytic may be added to by simply creating a new eval statement and modifying the hardcode digit for Score.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where (Web.status=200 OR Web.status=302 OR Web.status=401) AND Web.http_method=POST by Web.src Web.status Web.uri_path Web.dest Web.http_method Web.uri_query
| `drop_dm_object_name("Web")`
| eval is_autodiscover=if(like(lower(uri_path),"%autodiscover%"),1,0)
| eval powershell = if(match(lower(uri_query),"powershell"), "1",0)
| eval mapi=if(like(uri_query,"%/mapi/%"),1,0)
| addtotals fieldname=Score is_autodiscover, powershell, mapi
| fields Score, src,dest, status, uri_query,uri_path,http_method
| where Score >= 2
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_exchange_autodiscover_ssrf_abuse_filter`