CVE-2022-21082

#ParsedReport 01-10-2022

Analyzing attacks using the Exchange vulnerabilities CVE-2022-41040 and CVE-2022-41082

Threats: Chinachopper Backdoor:win32/rewritehttp.a Win32/iisexchgdropwebshell.a!dha Trojan:win32/iisexchgspawncmd.a Trojan:win32/webshellterminal.a Trojan:win32/webshellterminal.b Proxyshell vuln

CVEs: CVE-2022-41040 [Vulners] Vulners: Score: Unknown, CVSS: Unknown, Vulners: Exploitation: Unknown X-Force: Risk: 6.5 X-Force: Patch: Official fix

CVE-2022-21082 [Vulners] Vulners: Score: Unknown, CVSS: Unknown, Vulners: Exploitation: Unknown X-Force: Risk: Unknown X-Force: Patch: Unknown

CVE-2022-41082 [Vulners] Vulners: Score: Unknown, CVSS: Unknown, Vulners: Exploitation: Unknown X-Force: Risk: 8.8 X-Force: Patch: Official fix

TTPs: Tactics: 3 Technics: 0

IOCs: File: 1

Softs: microsoft defender for endpoint, microsoft defender, microsoft 365 defender, microsoft exchange server, active directory, microsoft exchange, windows hello

Links: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml https://github.com/Azure/Azure-Sentinel/blob/08a8d2b9c5c9083e341be447773a34b56b205dee/Detections/W3CIISLog/ProxyShellPwn2Own.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/PotentialWebshell.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Detections/W3CIISLog/MaliciousAlertLinkedWebRequests.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http proxy oab CL/ExchagngeSuspiciousFileDownloads.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/W3CIISLog/WebShellActivity.yaml https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/exchange-iis-worker-dropping-webshell.yaml