-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ProxyNotShell Response Pack (#21587)
* test * test * New response pack for Microsoft Exchange SSRF and RCE vulnerabilities * update RN * update pack-metadata * update pack-metadata and playbook changes * updated pack-ignore and removed RN * fix error specific brand * fix pack-ignore * fix QRadar tasks naming * remove secrets * fix Co-authored-by: evisochek <evisochek@paloaltonetworks.com>
- Loading branch information
Showing
9 changed files
with
3,246 additions
and
1 deletion.
There are no files selected for viewing
Empty file.
Empty file.
3,089 changes: 3,089 additions & 0 deletions
3,089
...82_-_ProxyNotShell/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.yml
Large diffs are not rendered by default.
Oops, something went wrong.
82 changes: 82 additions & 0 deletions
82
...ll/Playbooks/playbook-CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell_README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,82 @@ | ||
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. | ||
|
||
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. | ||
|
||
This playbook includes the following tasks: | ||
|
||
* Collect detection rules, indicators and mitigation tools. | ||
* Exploitation patterns hunting using Cortex XDR - XQL Engine. | ||
* Exploitation patterns hunting using 3rd party SIEM products: | ||
* Azure Sentinel | ||
* Splunk | ||
* QRadar | ||
* Elasticsearch | ||
* Indicators hunting using: | ||
* PAN-OS | ||
* Splunk | ||
* QRadar | ||
* Provides Microsoft mitigation and detection capabilities. | ||
|
||
**References:** | ||
|
||
[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) | ||
|
||
[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) | ||
|
||
[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html) | ||
|
||
[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9) | ||
|
||
**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | ||
|
||
## Dependencies | ||
This playbook uses the following sub-playbooks, integrations, and scripts. | ||
|
||
### Sub-playbooks | ||
* QRadar Indicator Hunting V2 | ||
* QRadarFullSearch | ||
* Rapid Breach Response - Set Incident Info | ||
* Splunk Indicator Hunting | ||
* PAN-OS Query Logs For Indicators | ||
|
||
### Integrations | ||
* Elasticsearch v2 | ||
|
||
### Scripts | ||
* HttpV2 | ||
* http | ||
* ParseHTMLIndicators | ||
|
||
### Commands | ||
* xdr-xql-generic-query | ||
* search | ||
* azure-log-analytics-execute-query | ||
* extractIndicators | ||
* createNewIndicator | ||
* qradar-search-results-get | ||
* closeInvestigation | ||
* associateIndicatorsToIncident | ||
* qradar-search-create | ||
* splunk-search | ||
|
||
## Playbook Inputs | ||
--- | ||
|
||
| **Name** | **Description** | **Default Value** | **Required** | | ||
| --- | --- | --- | --- | | ||
| CVEs | The vulnerabilities CVE indicators. | CVE-2022-41040,CVE-2022-41082 | Optional | | ||
| SplunkIndex | Splunk's index name in which to search. The default is "\*" - All. | * | Optional | | ||
| SplunkEarliestTime | Splunk's earliest time to search. | -7d@d | Optional | | ||
| SplunkLatestTime | Splunk's latest time to search. | now | Optional | | ||
| ElasticIndex | Elastic's index name in which to search. The default is "winlogbeat-\*" - All. | winlogbeat-* | Optional | | ||
| QRadarTimeRange | QRadar's query time range. | Last 7 DAYS | Optional | | ||
| RunXQLHuntingQueries | Whether to execute the XQL queries. | False | Optional | | ||
| PlaybookDescription | The playbook's description. | Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. <br/><br/>Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.<br/><br/>This playbook includes the following tasks:<br/><br/>* Collect detection rules, indicators and mitigation tools.<br/>* Exploitation patterns hunting using Cortex XDR - XQL Engine.<br/>* Exploitation patterns hunting using 3rd party SIEM products:<br/> * Azure Sentinel<br/> * Splunk<br/> * QRadar<br/> * Elasticsearch<br/>* Indicators hunting using:<br/> * PAN-OS<br/> * Splunk<br/> * QRadar<br/>* Provides Microsoft mitigation and detection capabilities.<br/><br/>**References:**<br/><br/>[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/)<br/><br/>[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/)<br/><br/>[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html)<br/><br/>[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9)<br/><br/>**Note:** This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional | | ||
|
||
## Playbook Outputs | ||
--- | ||
There are no outputs for this playbook. | ||
|
||
## Playbook Image | ||
--- | ||
![CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell](../doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png) |
23 changes: 23 additions & 0 deletions
23
Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
This pack is part of the [Rapid Breach Response](https://xsoar.pan.dev/marketplace/details/MajorBreachesInvestigationandResponse) pack. | ||
|
||
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker. | ||
|
||
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability. | ||
|
||
This playbook includes the following tasks: | ||
|
||
* Collect detection rules, indicators and mitigation tools. | ||
* Exploitation patterns hunting using Cortex XDR - XQL Engine. | ||
* Exploitation patterns hunting using 3rd party SIEM products. | ||
* Indicators hunting. | ||
* Provides Microsoft mitigation and detection capabilities. | ||
|
||
**References:** | ||
|
||
[Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082](https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/) | ||
|
||
[Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server](https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/) | ||
|
||
[WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER](https://gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html) | ||
|
||
[ProxyNotShell— the story of the claimed zero days in Microsoft Exchange](https://doublepulsar.com/proxynotshell-the-story-of-the-claimed-zero-day-in-microsoft-exchange-5c63d963a9e9) |
Binary file added
BIN
+931 KB
...2_-_ProxyNotShell/doc_files/CVE-2022-41040_&_CVE-2022-41082_-_ProxyNotShell.png
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
45 changes: 45 additions & 0 deletions
45
Packs/CVE_2022_41040_and_CVE_2022_41082_-_ProxyNotShell/pack_metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
{ | ||
"name": "CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell", | ||
"description": "This pack handles Microsoft Exchange SSRF CVE-2022-41040 & RCE CVE-2022-41082 vulnerabilities, aka ProxyNotShell, a 0-day exploits in Microsoft Exchange Servers", | ||
"support": "xsoar", | ||
"currentVersion": "1.0.0", | ||
"author": "Cortex XSOAR", | ||
"url": "https://www.paloaltonetworks.com/cortex", | ||
"email": "", | ||
"categories": [], | ||
"tags": [ | ||
"Incident Response" | ||
], | ||
"useCases": [ | ||
"Hunting", | ||
"Incident Response", | ||
"Rapid Breach Response" | ||
], | ||
"keywords": [ | ||
"zero-day", | ||
"0-day", | ||
"zero day", | ||
"Exchange", | ||
"Microsoft Exchange", | ||
"IIS", | ||
"Microsoft", | ||
"ProxyNotShell", | ||
"CVE", | ||
"CVE-2022-41040", | ||
"CVE-2022-41082", | ||
"41040", | ||
"41082", | ||
"RCE", | ||
"SSRF" | ||
], | ||
"dependencies": { | ||
"MajorBreachesInvestigationandResponse": { | ||
"mandatory": true, | ||
"display_name": "Rapid Breach Response" | ||
} | ||
}, | ||
"marketplaces": [ | ||
"xsoar", | ||
"marketplacev2" | ||
] | ||
} |
6 changes: 6 additions & 0 deletions
6
Packs/MajorBreachesInvestigationandResponse/ReleaseNotes/1_6_24.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
#### Packs | ||
##### CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell | ||
- New pack which handles the new Microsoft Exchange Servers SSRF and RCE vulnerabilities, CVE-2022-41040 & CVE-2022-41082. | ||
|
||
This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via | ||
our Marketplace. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters