This pack is part of the Rapid Breach Response pack.
Microsoft is investigating two reported zero-day vulnerabilities affecting Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. The first one, identified as CVE-2022-41040, is a Server-Side Request Forgery (SSRF) vulnerability, and the second one, identified as CVE-2022-41082, allows Remote Code Execution (RCE) when PowerShell is accessible to the attacker.
Currently, Microsoft is aware of limited targeted attacks using these two vulnerabilities. In these attacks, CVE-2022-41040 can enable an authenticated attacker to remotely trigger CVE-2022-41082. It should be noted that authenticated access to the vulnerable Exchange Server is necessary to successfully exploit either vulnerability.
This playbook includes the following tasks:
- Collect detection rules, indicators and mitigation tools.
- Exploitation patterns hunting using Cortex XDR - XQL Engine.
- Exploitation patterns hunting using 3rd party SIEM products.
- Indicators hunting.
- Provides Microsoft mitigation and detection capabilities.