Hub configuration

More info

CVE-2022-37042 Scenario

« CVE-2022-37042 »
v0.2 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:zimbraspoofable:0MITRE:T1595MITRE:T1190confidence:3

Detect CVE-2022-37042 exploits

Installation

cscli scenarios install crowdsecurity/CVE-2022-37042

Description

Detects attempts of exploit of CVE-2022-37042 RCE vulnerability.

YAML Configuration

1type: trigger
2#debug: true
3name: crowdsecurity/CVE-2022-37042
4description: "Detect CVE-2022-37042 exploits"
5filter: |
6  (
7  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
8  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
9  )
10  and evt.Meta.http_status startsWith ('40') and
11  Upper(evt.Meta.http_verb) == 'POST'
12
13blackhole: 2m
14groupby: "evt.Meta.source_ip"
15labels:
16  type: exploit
17  remediation: true
18  classification:
19    - attack.T1595
20    - attack.T1190
21    - cve.CVE-2022-37042
22  spoofable: 0
23  confidence: 3
24  behavior: "http:exploit"
25  label: "ZCS CVE-2022-37042"
26  service: zimbra
27

Hub configuration

« CVE-2022-37042 »v0.2 by crowdsecurityAttack scenarioremediation:truetype:exploit service:zimbraCVE-2022-37042spoofable:0MITRE:T1595MITRE:T1190confidence:3

« CVE-2022-37042 »
v0.2 by crowdsecurity
Attack scenarioremediation:truetype:exploit service:zimbraspoofable:0MITRE:T1595MITRE:T1190confidence:3