SID 1:61933

Rule Category

SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.

Alert Message

SERVER-MAIL Microsoft Exchange Server remote PowerShell session type confusion attempt

Rule Explanation

This rule looks for a Clixml object containing the malicious type System.Windows.Markup.XamlReader[][].

What To Look For

This rule alerts on an attempt to execute code on a Microsoft Exchange server using a type confusion bypass.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Execution::User Execution::Malicious File

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Attachment. Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

MITRE::ATT&CK Framework::Enterprise::Privilege Escalation::Exploitation for Privilege Escalation

Privilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.

Rule Categories::Server::Mail

CVE

None

Additional Links

portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2023-28310

Rule Vulnerability

No information provided

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.

None