关联漏洞
介绍
# LetsDefend-CVE-2022-41082-Exploitation-Attempt
## 🛡️ Incident Report: CVE-2022-41082 Exploitation Attempt
### 📅 Date: Sep 30, 2022
### 🕒 Time: 07:19 AM
### 🚨 Severity: High
### 🆔 Incident ID: 125
---
## 📊 Details
| Key Attribute | Value |
|----------------------------|----------------------------------------------------------------------------------------------------------------------|
| **Event ID** | 125 |
| **Event Time** | Sep 30, 2022, 07:19 AM |
| **Rule** | SOC175 - PowerShell Found in Requested URL |
| **Level** | Security Analyst |
| **Hostname** | Exchange Server 2 |
| **Destination IP Address** | 172.16.20.8 |
| **Log Source** | IIS |
| **Source IP Address** | 58.237.200.6 |
| **Request URL** | `/autodiscover/autodiscover.json?@evil.com/owa/&Email=autodiscover/autodiscover.json%3f@evil.com&Protocol=XYZ&FooProtocol=Powershell` |
| **HTTP Method** | GET |
| **User-Agent** | Mozilla/5.0 zgrab/0.x |
| **Action** | Blocked |
| **Alert Trigger Reason** | Request URL Contains PowerShell |
---
### How it looks on the SIEM Tool(LetsDefend)
---
### What is CVE-2022-41082?? Lets Get to Know what CVE-2022-41082 Exploitation is, because i dont know either 😄 lol
CVE-2022-41082 is a critical Remote Code Execution (RCE) vulnerability affecting Microsoft Exchange Server. It was discovered in September 2022 and is often exploited in conjunction with CVE-2022-41040, forming part of the ProxyNotShell exploit chain.
- It affected versions like:
- **Microsoft Exchange Server 2013**
- **Microsoft Exchange Server 2016**
- **Microsoft Exchange Server 2019**
### ⚠️ Vulnerability Details
The **CVE-2022-41082** vulnerability is triggered when an attacker can access the **PowerShell endpoint** on an exposed **Exchange Server**.
Attackers can escalate privileges and execute **arbitrary commands** on the server through **PowerShell remoting**.
This vulnerability is typically exploited via a **crafted URL** that bypasses authentication checks when combined with **CVE-2022-41040** (an SSRF vulnerability).
---
### 🔗 Exploit Chain (ProxyNotShell)
1. **CVE-2022-41040 (SSRF)**: Bypasses authentication.
2. **CVE-2022-41082 (RCE)**: Executes commands remotely via PowerShell.
---
### 💥 Impact
- **Full system compromise.**
- Attackers can install **malware**, create **backdoors**, and move **laterally** within the network.
- Often used to deploy **web shells** or **ransomware**.
---
### 🔍 Mitigation
- Apply the latest patches from Microsoft.
- Restrict access to the **PowerShell endpoint** and Network segmentation.
- Monitor suspicious **URL patterns** and **PowerShell activity** on the server.
---
### Detection (How we detect this expoitation)
1. Log Analysis:
- Check IIS logs for suspicious patterns like, **'C:\inetpub\logs\LogFiles\W3SVC1'**
- Look for requests containing **autodiscover.json** or **PowerShell** URLs.
2. Indicators of Compromise (IoCs):
- Unusual processes running as the Exchange server user.
- Suspicious PowerShell command executions.
- Web shell files located in: **`'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\'`**
4. Memory and Process Monitoring:
- Identify unexpected child processes from w3wp.exe (IIS Worker Process).
- Look for PowerShell instances triggered via IIS.
---
## CVE Record Information
---
## Summary
On **September 30, 2022**, at **07:19 AM**, an attempted exploitation targeting **Exchange Server 2** was detected and blocked. The event, identified as **EventID: 125**, was triggered by the rule **SOC175 - PowerShell Found in Requested URL**, indicating a possible exploitation of **CVE-2022-41082**. The suspicious request was sent from IP **58.237.200.6**, associated with **SK Broadband Co Ltd** in **Daegu, South Korea**, and has been previously reported for **brute force SSH attacks**. The attacker attempted to exploit the **Autodiscover endpoint** to execute **PowerShell commands** remotely.
The attack leveraged the **ProxyNotShell** vulnerability chain, specifically **CVE-2022-41040 (SSRF)** and **CVE-2022-41082 (RCE)**, allowing attackers to potentially execute arbitrary commands via **PowerShell remoting**. The request was identified as malicious due to the presence of **PowerShell URIs** in the URL and the use of the **zgrab user-agent**, indicative of automated scanning or exploitation attempts. The attack was successfully blocked, preventing potential **remote code execution** and system compromise.
To mitigate this threat, it is essential to ensure that all **Exchange Servers are patched** and that **URL rewrite rules** are applied to block known malicious patterns. Additionally, implementing enhanced **log monitoring and IP blocking** for the identified threat actor will help prevent future attempts. Restricting **external access to Autodiscover endpoints** and disabling **Remote PowerShell for non-administrative accounts** are recommended. Ongoing vigilance and monitoring are crucial to identifying and mitigating similar threats in the future.
---
### Screenshoots
文件快照
[4.0K] /data/pocs/343df243ce098216e846e35a878843c61036a842
├── [ 97K] alert1.png
├── [135K] Ap.png
├── [154K] closed.png
├── [ 69K] endpoint1.png
├── [ 72K] endpoint.png
├── [6.6K] README.md
└── [ 65K] RecordInf.png
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。