Rule History

alert http any any -> any any (msg: "ATTACK [PTsecurity] MS Exchange 2010-2019 Possible privilege escalation (CVE-2018-8581)"; flow: established, to_server; content: "POST"; http_method; content: "SOAPAction"; http_header; content: "Authorization: NTLM"; http_header; content: "m:SendNotificationResponseMessage"; http_client_body; reference: url, dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/; reference: cve, 2018-8581; reference: url, rules.ptsecurity.com; classtype: attempted-admin; sid: 10004420; rev: 1;)