Skip to main content

CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell

This Playbook is part of the CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

This playbook includes the following tasks:

  • Collect detection rules, indicators and mitigation tools.
  • Exploitation patterns hunting using Cortex XDR - XQL Engine.
  • Exploitation patterns hunting using 3rd party SIEM products:
    • Azure Sentinel
    • Splunk
    • QRadar
    • Elasticsearch
  • Indicators hunting using:
    • PAN-OS
    • Splunk
    • QRadar
  • Provides Microsoft mitigation and detection capabilities.

More information:

Threat Brief: CVE-2022-41040 and CVE-2022-41082: Microsoft Exchange Server (ProxyNotShell)

References:

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER

ProxyNotShell— the story of the claimed zero days in Microsoft Exchange

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies#

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks#

  • QRadar Indicator Hunting V2
  • QRadarFullSearch
  • Rapid Breach Response - Set Incident Info
  • Splunk Indicator Hunting
  • PAN-OS Query Logs For Indicators

Integrations#

  • Elasticsearch v2

Scripts#

  • HttpV2
  • http
  • ParseHTMLIndicators

Commands#

  • xdr-xql-generic-query
  • search
  • azure-log-analytics-execute-query
  • extractIndicators
  • createNewIndicator
  • qradar-search-results-get
  • closeInvestigation
  • associateIndicatorsToIncident
  • qradar-search-create
  • splunk-search

Playbook Inputs#


NameDescriptionDefault ValueRequired
CVEsThe vulnerabilities CVE indicators.CVE-2022-41040,CVE-2022-41082Optional
SplunkIndexSplunk's index name in which to search. The default is "*" - All.*Optional
SplunkEarliestTimeSplunk's earliest time to search.-7d@dOptional
SplunkLatestTimeSplunk's latest time to search.nowOptional
ElasticIndexElastic's index name in which to search. The default is "winlogbeat-*" - All.winlogbeat-*Optional
QRadarTimeRangeQRadar's query time range.Last 7 DAYSOptional
RunXQLHuntingQueriesWhether to execute the XQL queries.FalseOptional
PlaybookDescriptionThe playbook's description.Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.

Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.

This playbook includes the following tasks:

Collect detection rules, indicators and mitigation tools.
Exploitation patterns hunting using Cortex XDR - XQL Engine.
Exploitation patterns hunting using 3rd party SIEM products:
Azure Sentinel
Splunk
QRadar
Elasticsearch
Indicators hunting using:
PAN-OS
Splunk
QRadar
Provides Microsoft mitigation and detection capabilities.

References:

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server

WARNING: NEW ATTACK CAMPAIGN UTILIZED A NEW 0-DAY RCE VULNERABILITY ON MICROSOFT EXCHANGE SERVER

ProxyNotShell— the story of the claimed zero days in Microsoft Exchange

Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Optional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


CVE-2022-41040 & CVE-2022-41082 - ProxyNotShell