A Different Payload for CVE-2022-47966 - Blog - VulnCheck
Tags
attack-pattern: Exploits - T1587.004 Exploits - T1588.005 Javascript - T1059.007 Mshta - T1218.005 Powershell - T1059.001 Server - T1583.004 Server - T1584.004 Tool - T1588.002 Mshta - T1170 Powershell - T1086
Show in Graph
Common Information
Type Value
UUID 1d0fb1be-f368-49f3-8c66-1f99554ef8b9
Fingerprint b617899b18a292c9
Analysis status DONE
Considered CTI value 0
Text language
Published Feb. 14, 2023, midnight
Added to db Aug. 31, 2024, 8:54 a.m.
Last updated Nov. 17, 2024, 6:55 p.m.
Headline A Different Payload for CVE-2022-47966
Title A Different Payload for CVE-2022-47966 - Blog - VulnCheck
Detected Hints/Tags/Attributes 50/1/50
Attributes
Details Type #Events CTI Value
Details CVE 76 
cve-2022-47966
Details Domain 136 
horizon3.ai
Details Domain 150 
www.w3.org
Details Domain 4 
xml.apache.org
Details Domain 138 
java.io
Details Domain 60 
java.net
Details Domain 454 
www.google.com
Details File 155 
horizon3.ai
Details File 26 
lang.obj
Details File 2125 
cmd.exe
Details File 1208 
powershell.exe
Details File 87 
java.exe
Details File 16 
sh.exe
Details File 17 
bash.exe
Details File 35 
pwsh.exe
Details File 249 
schtasks.exe
Details File 226 
certutil.exe
Details File 62 
whoami.exe
Details File 63 
bitsadmin.exe
Details File 376 
wscript.exe
Details File 155 
cscript.exe
Details File 23 
scrcons.exe
Details File 240 
wmic.exe
Details File 456 
mshta.exe
Details File 33 
forfiles.exe
Details File 12 
mftrace.exe
Details File 13 
appvlp.exe
Details File 93 
curl.exe
Details File 380 
notepad.exe
Details File 61 
systeminfo.exe
Details File 256 
net.exe
Details File 48 
net1.exe
Details File 165 
reg.exe
Details File 10 
query.exe
Details File 16 
lang.sys
Details File 2 
vulncheck.txt
Details File 34 
net.url
Details File 2 
serverout1.txt
Details IPv4 4 
111.68.7.122
Details IPv4 3 
149.28.193.216
Details IPv4 2 
172.93.193.64
Details Url 6 
http://www.w3.org/2001/10/xml-exc-c14n#
Details Url 4 
http://www.w3.org/tr/1999/rec-xslt-19991116
Details Url 3 
http://xml.apache.org/xalan/java/java.lang.object
Details Url 3 
http://xml.apache.org/xalan/java/java.lang.runtime
Details Url 11 
http://www.w3.org/1999/xsl/transform
Details Url 2 
http://xml.apache.org/xalan/java/javax.script.scriptenginemanager
Details Url 2 
http://xml.apache.org/xalan/java/javax.script.scriptengine
Details Url 2 
https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability
Details Yara rule 2 
rule LOG_EXPL_ManageEngine_CVE_2022_47966_Jan23 {
	meta:
		description = "Detects Exploitation of Critical ManageEngine Vulnerability: CVE-2022-47966"
		author = "Matt Green - @mgreen27"
		reference = "https://www.rapid7.com/blog/post/2023/01/19/etr-cve-2022-47966-rapid7-observed-exploitation-of-critical-manageengine-vulnerability/"
		date = "2023-01-20"
	strings:
		$s1 = "com.adventnet.authentication.saml.SamlException: Signature validation failed. SAML Response rejected"
		$re1 = /invalid_response --> .{20,}/s
		$ip1 = "111.68.7.122"
		$ip2 = "149.28.193.216"
		$ip3 = "172.93.193.64"
	condition:
		any of them
}