ProxyNotShell Response Pack (#21587)

* test

* test

* New response pack for Microsoft Exchange SSRF and RCE vulnerabilities

* update RN

* update pack-metadata

* update pack-metadata and playbook changes

* updated pack-ignore and removed RN

* fix error specific brand

* fix pack-ignore

* fix QRadar tasks naming

* remove secrets

* fix

Co-authored-by: evisochek <evisochek@paloaltonetworks.com>

Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md

@@ -0,0 +1,82 @@
+Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  
+
+Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
+
+This playbook includes the following tasks:
+
+* Collect detection rules, indicators and mitigation tools.
+* Exploitation patterns hunting using Cortex XDR - XQL Engine.
+* Exploitation patterns hunting using 3rd party SIEM products:
+    * Azure Sentinel
+    * Splunk
+    * QRadar
+    * Elasticsearch
+* Indicators hunting using:
+    * PAN-OS
+    * Splunk
+    * QRadar
+* Provides Microsoft mitigation and detection capabilities.
+
+**References:**
+
+[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)
+
+[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)
+
+[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)
+
+[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)
+
+**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
+
+## Dependencies
+This playbook uses the following sub-playbooks, integrations, and scripts.
+
+### Sub-playbooks
+* QRadar Indicator Hunting V2
+* QRadarFullSearch
+* Rapid Breach Response - Set Incident Info
+* Splunk Indicator Hunting
+* PAN-OS Query Logs For Indicators
+
+### Integrations
+* Elasticsearch v2
+
+### Scripts
+* HttpV2
+* http
+* ParseHTMLIndicators
+
+### Commands
+* xdr-xql-generic-query
+* search
+* azure-log-analytics-execute-query
+* extractIndicators
+* createNewIndicator
+* qradar-search-results-get
+* closeInvestigation
+* associateIndicatorsToIncident
+* qradar-search-create
+* splunk-search
+
+## Playbook Inputs
+---
+
+| **Name** | **Description** | **Default Value** | **Required** |
+| --- | --- | --- | --- |
+| CVEs | The vulnerabilities CVE indicators. | CVE-2022-41040,CVE-2022-41082 | Optional |
+| SplunkIndex | Splunk's index name in which to search. The default is "\*" - All. | * | Optional |
+| SplunkEarliestTime | Splunk's earliest time to search. | -7d@d | Optional |
+| SplunkLatestTime | Splunk's latest time to search. | now | Optional |
+| ElasticIndex | Elastic's index name in which to search. The default is "winlogbeat-\*" - All. | winlogbeat-* | Optional |
+| QRadarTimeRange | QRadar's query time range. | Last 7 DAYS | Optional |
+| RunXQLHuntingQueries | Whether to execute the XQL queries. | False | Optional |
+| PlaybookDescription | The playbook's description. | Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  <br/><br/>Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.<br/><br/>This playbook includes the following tasks:<br/><br/>* Collect detection rules, indicators and mitigation tools.<br/>* Exploitation patterns hunting using Cortex XDR - XQL Engine.<br/>* Exploitation patterns hunting using 3rd party SIEM products:<br/>    * Azure Sentinel<br/>    * Splunk<br/>    * QRadar<br/>    * Elasticsearch<br/>* Indicators hunting using:<br/>    * PAN-OS<br/>    * Splunk<br/>    * QRadar<br/>* Provides Microsoft mitigation and detection capabilities.<br/><br/>**References:**<br/><br/>[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)<br/><br/>[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)<br/><br/>[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)<br/><br/>[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)<br/><br/>**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional |
+
+## Playbook Outputs
+---
+There are no outputs for this playbook.
+
+## Playbook Image
+---
+![CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell](../doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png)

Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md

@@ -0,0 +1,23 @@
+This pack is part of the [Rapid Breach Response](https://xsoar.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse) pack.
+
+Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.  
+
+Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities.  In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
+
+This playbook includes the following tasks:
+
+* Collect detection rules, indicators and mitigation tools.
+* Exploitation patterns hunting using Cortex XDR - XQL Engine.
+* Exploitation patterns hunting using 3rd party SIEM products.
+* Indicators hunting.
+* Provides Microsoft mitigation and detection capabilities.
+
+**References:**
+
+[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)
+
+[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)
+
+[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)
+
+[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)

Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json

@@ -0,0 +1,45 @@
+{
+    "name": "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell",
+    "description": "This pack handles Microsoft Exchange SSRF CVE-2022-41040 & RCE CVE-2022-41082 vulnerabilities, aka ProxyNotShell, a 0-day exploits in Microsoft Exchange Servers",
+    "support": "xsoar",
+    "currentVersion": "1.0.0",
+    "author": "Cortex XSOAR",
+    "url": "https://www.paloaltonetworks.com/cortex",
+    "email": "",
+    "categories": [],
+    "tags": [
+        "Incident Response"
+    ],
+    "useCases": [
+        "Hunting",
+        "Incident Response",
+        "Rapid Breach Response"
+    ],
+    "keywords": [
+        "zero-day",
+        "0-day",
+        "zero day",
+        "Exchange",
+        "Microsoft Exchange",
+        "IIS",
+        "Microsoft",
+        "ProxyNotShell",
+        "CVE",
+        "CVE-2022-41040",
+        "CVE-2022-41082",
+        "41040",
+        "41082",
+        "RCE",
+        "SSRF"
+    ],
+    "dependencies": {
+        "MajorBreachesInvestigationandResponse": {
+            "mandatory": true,
+            "display_name": "Rapid Breach Response"
+        }
+    },
+    "marketplaces": [
+        "xsoar",
+        "marketplacev2"
+    ]
+}

Packs/MajorBreachesInvestigationandResponse/ReleaseNotes/1_6_24.md

@@ -0,0 +1,6 @@
+#### Packs
+##### CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell
+- New pack which handles the new Microsoft Exchange Servers SSRF and RCE vulnerabilities, CVE-2022-41040 & CVE-2022-41082.
+
+  This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
+  our Marketplace.

Packs/MajorBreachesInvestigationandResponse/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Rapid Breach Response",
     "description": "This content Pack helps you collect, investigate, and remediate incidents related to major breaches.",
     "support": "xsoar",
-    "currentVersion": "1.6.23",
+    "currentVersion": "1.6.24",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",