Yara Rule - Microsoft SharePoint 서버에서 CVE-2023-29357을 이용하기 위해 C# POC 감지
Yara 정의.
Yara Rule - Detects a C# POC to exploit CVE-2023-29357 on Microsoft SharePoint servers
Yara definition.
Author: Florian Roth
https://github.com/LuemmelSec/CVE-2023-29357
date = "2023-09-28"
modified = "2023-10-01"
score = 70
https://x.com/TH3C0DEX/status/1707503935596925048?s=20
https://x.com/theluemmel/status/1707653715627311360?s=20 (plus private chat)
$xr1 = /GET [a-z\.\/_]{0,40}\/web\/(siteusers|currentuser) - (80|443) .{10,200} (python-requests\/[0-9\.]{3,8}|-) [^ ]{1,160} [^4]0[0-9] /
date = "2023-10-01"
modified = "2023-10-01"
score = 80
$x1 = "encoded_payload = base64.urlsafe_b64encode(json.dumps(payload).encode()).rstrip(b'=')"
date = "2023-10-01"
score = 80
$x1 = "{f22d2de0-606b-4d16-98d5-421f3f1ba8bc}" ascii wide
$x2 = "{F22D2DE0-606B-4D16-98D5-421F3F1BA8BC}" ascii wide
$s1 = "Bearer"
$s2 = "hashedprooftoken"
$s3 = "/_api/web/"
$s4 = "X-PROOF_TOKEN"
$s5 = "00000003-0000-0ff1-ce00-000000000000"
$s6 = "IsSiteAdmin"
uint16(0) == 0x5a4d```
[https://github.com/Neo23x0/signature-base/commit/7d56c3bd6e720961a3c086c6c9c32556cfeba621](https://github.com/Neo23x0/signature-base/commit/7d56c3bd6e720961a3c086c6c9c32556cfeba621)