26 lines
863 B
YAML
26 lines
863 B
YAML
title: Certificate Request Export to Exchange Webserver
|
|
author: Max Altgelt
|
|
date: 2021/08/23
|
|
description: Detects a write of an Exchange CSR to an untypical directory or with
|
|
aspx name suffix which can be used to place a webshell
|
|
detection:
|
|
condition: ((New-ExchangeCertificate and -GenerateRequest and -BinaryEncoded
|
|
and -RequestFile) and (\\\\localhost\\C$ or \\\\127.0.0.1\\C$ or C:\\inetpub
|
|
or .aspx))
|
|
falsepositives:
|
|
- unlikely
|
|
id: b7bc7038-638b-4ffd-880c-292c692209ef
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
references:
|
|
- https://twitter.com/GossiTheDog/status/1429175908905127938
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
yml_filename: win_exchange_proxyshell_certificate_generation.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
|
|
|