Mark  

@[email protected]
104 Followers
56 Following
30 Posts

uber geek blue team cyber commando bad guy annihilator at CrowdStrike OSCP GREM GDAT GC|FA/FE/IH #DFIR #BLUETEAMTIPS

(views are my own)
 https://twitter.com/sneakymonk3y

wwwhttp://you.sneakymonkey.net
githubhttps://github.com/sneakymonk3y
Show threadMark  Jan 2, 2023
diagram showing a SSRF IAM credential attack - from https://web.mit.edu/smadnick/www/wp/2020-16.pdf
Mark  Dec 20, 2022

#OWASSRF new exploition of Exchange servers using OWA as initial entry (full server pwnage with CVE-2022-41080 OWASSRF and CVE-2022-41082 PS RCE). See #ProxyNotShell differences below. This was found during investigations into Play ransomware intrusions.

TLDR: Mitigations and Response:
- ensure to patch November’s Exchange CU. Re: KB5019758
- URL rewrite mitigation for ProxyNotShell not valid protection here.
- triage Exchange servers with this PowerShell script to search for IOCs https://github.com/CrowdStrike/OWASSRF

More information available here;
https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ #dfir

GitHub - CrowdStrike/OWASSRF

Contribute to CrowdStrike/OWASSRF development by creating an account on GitHub.

GitHub