{"id":15112,"date":"2022-12-23T12:42:10","date_gmt":"2022-12-23T11:42:10","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=15112"},"modified":"2024-04-12T16:33:26","modified_gmt":"2024-04-12T14:33:26","slug":"extended-proxynotshell-detection-covering-owassrf","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/","title":{"rendered":"Extended ProxyNotShell Detection Covering OWASSRF"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.19.4″ _module_preset=”default” da_disable_devices=”off|off|off” global_colors_info=”{}” da_is_popup=”off” da_exit_intent=”off” da_has_close=”on” da_alt_close=”off” da_dark_close=”off” da_not_modal=”on” da_is_singular=”off” da_with_loader=”off” da_has_shadow=”on”][et_pb_row _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

In a report published on the 20th of December CrowdStrike published a report<\/a> of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE).\u00a0
PaolAlto Networks’ Unit42 released their report<\/a> one day later.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_3,1_3,1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Dray Agha’s Tweet” url=”https:\/\/twitter.com\/Purp1eW0lf\/status\/1602989967776808961?s=20″ image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-23-at-11.55.28.png” _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The security researcher Dray Agha noticed the proof-of-concept (POC) in an unprotected open directory used by an unknown threat actor<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”CrowdStrike’s Report on OWASSRF” url=”https:\/\/www.crowdstrike.com\/blog\/owassrf-exploit-analysis-and-recommendations\/” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-23-at-11.51.10.png” _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

The report contains information on the exploitation, log patterns and a script to detects possible exploitation attempts<\/p>\n

[\/et_pb_blurb][\/et_pb_column][et_pb_column type=”1_3″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_blurb title=”Unit42’s report on OWASSRF” url=”https:\/\/unit42.paloaltonetworks.com\/threat-brief-OWASSRF\/” image=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-23-at-13.22.11.png” _builder_version=”4.19.4″ _module_preset=”default” hover_enabled=”0″ global_colors_info=”{}” title_text=”Screenshot 2022-12-23 at 13.22.11″ sticky_enabled=”0″]<\/p>\n

PaloAlto Networks Unit42 also published a report that also contains information on observed TTPs and information on a PowerShell backdoor called SilverArrow<\/p>\n

[\/et_pb_blurb][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”][et_pb_text _builder_version=”4.19.4″ _module_preset=”default” global_colors_info=”{}”]<\/p>\n

Signatures That Detect This Attack<\/span><\/strong><\/h1>\n

Exploitation<\/span><\/strong><\/h2>\n

YARA (public)<\/h3>\n
\n
EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1<\/span><\/a><\/div>\n
\n
\n
EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2<\/span><\/a><\/div>\n
\n
\n
EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3<\/span><\/a><\/div>\n
\n
\n
EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1<\/span><\/a><\/div>\n
\n
\n
LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22<\/span><\/a><\/div>\n<\/div>\n<\/div>\n
\n
\n
EXPL_Exchange_ProxyNotShell_Patterns_CVE_2022_41040_Oct22_1<\/span><\/a><\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n
\u00a0<\/span>
<\/span><\/div>\n<\/div>\n

SIGMA (public)<\/h3>\n

Potential OWASSRF Exploitation Attempt – Proxy
UUID: 1ddf4596-1908-43c9-add2-1d2c2fcc4797<\/a><\/p>\n

Potential OWASSRF Exploitation Attempt – Webserver
UUID: 181f49fa-0b21-4665-a98c-a57025ebb8c7<\/a><\/p>\n

Post-Exploitation<\/h2>\n

SIGMA (Private)<\/h3>\n

Microsoft Exchange ProxyNotShell Exploit
UUID: df23d4fb-b12b-4425-a340-8d59e2460c43<\/a><\/p>\n

Webshell Detection Suspicious Children
UUID: 9a8e8057-32a7-432d-bf80-197dacf1a77f<\/a><\/p>\n

Shells Spawned by Web Servers in Process Tree
UUID: 6dc0f4e1-7a11-429f-b240-d9f852cea8b3<\/a><\/p>\n

SIGMA (Public)<\/h3>\n

Suspicious File Drop by Exchange
UUID: 6b269392-9eba-40b5-acb6-55c882b20ba6<\/a><\/p>\n

Shells Spawned by Web Servers
UUID: 8202070f-edeb-4d31-a010-a26c72ac5600<\/a><\/span><\/strong><\/p>\n

 <\/p>\n

 <\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

In a report published on the 20th of December CrowdStrike published a report of a new technique exploiting the Microsoft Exchange vulnerability called ProxyNotShell. The called the new technique OWASSRF as it uses Outlook Web Access, CVE-2022-41080 and CVE-2022-41082 to achieve remote code execution (RCE).\u00a0PaolAlto Networks’ Unit42 released their report one day later.\u00a0The security researcher Dray Agha noticed the proof-of-concept (POC) in an unprotected open directory used by an unknown threat actorThe report contains information on the exploitation, log patterns and a script to detects possible exploitation attemptsPaloAlto Networks Unit42 also published a report that also contains information on observed TTPs and information on a PowerShell backdoor called SilverArrowSignatures That Detect This Attack Exploitation YARA (public) EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_1 EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_2 EXPL_LOG_ProxyNotShell_OWASSRF_PowerShell_Proxy_Log_Dec22_3 EXPL_LOG_ProxyNotShell_PowerShell_Proxy_Log_Dec22_1 LOG_ProxyNotShell_POC_CVE_2022_41040_Nov22 EXPL_Exchange_ProxyNotShell_Patterns_CVE_2022_41040_Oct22_1 \u00a0 SIGMA (public) Potential OWASSRF Exploitation Attempt – ProxyUUID: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 Potential OWASSRF Exploitation Attempt – WebserverUUID: 181f49fa-0b21-4665-a98c-a57025ebb8c7 Post-Exploitation SIGMA (Private) Microsoft Exchange ProxyNotShell ExploitUUID: df23d4fb-b12b-4425-a340-8d59e2460c43 Webshell Detection Suspicious ChildrenUUID: 9a8e8057-32a7-432d-bf80-197dacf1a77f Shells Spawned by Web Servers in Process TreeUUID: 6dc0f4e1-7a11-429f-b240-d9f852cea8b3 SIGMA (Public) Suspicious File Drop by ExchangeUUID: 6b269392-9eba-40b5-acb6-55c882b20ba6 Shells Spawned by Web ServersUUID: 8202070f-edeb-4d31-a010-a26c72ac5600    <\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[670,749,1,32,248],"tags":[650,69,603,82,688,687,5,607,48],"class_list":["post-15112","post","type-post","status-publish","format-standard","hentry","category-aurora","category-homepage","category-nextron","category-thor","category-thor-lite","tag-aurora","tag-compromise-assessment","tag-exchange","tag-ioc","tag-owassrf","tag-proxynotshell","tag-thor","tag-thor-lite","tag-yara"],"yoast_head":"\nExtended ProxyNotShell Detection Covering OWASSRF - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Extended ProxyNotShell Detection Covering OWASSRF\",\"datePublished\":\"2022-12-23T11:42:10+00:00\",\"dateModified\":\"2024-04-12T14:33:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\"},\"wordCount\":611,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"Aurora\",\"compromise assessment\",\"Exchange\",\"ioc\",\"OWASSRF\",\"ProxyNotShell\",\"thor\",\"THOR Lite\",\"YARA\"],\"articleSection\":[\"Aurora\",\"Homepage\",\"Nextron\",\"THOR\",\"THOR Lite\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\",\"name\":\"Extended ProxyNotShell Detection Covering OWASSRF - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2022-12-23T11:42:10+00:00\",\"dateModified\":\"2024-04-12T14:33:26+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Extended ProxyNotShell Detection Covering OWASSRF - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Extended ProxyNotShell Detection Covering OWASSRF","datePublished":"2022-12-23T11:42:10+00:00","dateModified":"2024-04-12T14:33:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/"},"wordCount":611,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["Aurora","compromise assessment","Exchange","ioc","OWASSRF","ProxyNotShell","thor","THOR Lite","YARA"],"articleSection":["Aurora","Homepage","Nextron","THOR","THOR Lite"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/","url":"https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/","name":"Extended ProxyNotShell Detection Covering OWASSRF - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2022-12-23T11:42:10+00:00","dateModified":"2024-04-12T14:33:26+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2022\/12\/23\/extended-proxynotshell-detection-covering-owassrf\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/15112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=15112"}],"version-history":[{"count":11,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/15112\/revisions"}],"predecessor-version":[{"id":15135,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/15112\/revisions\/15135"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=15112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=15112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=15112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}