1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Microsoft Exchange Server Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2022-41082 Mappings

Microsoft Exchange Server Remote Code Execution Vulnerability

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1567 Exfiltration Over Web Service
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1482 Domain Trust Discovery
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1087 Account Discovery
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability secondary_impact T1505.003 Web Shell
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability primary_impact T1059.001 PowerShell
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1059.001 PowerShell
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563
CVE-2022-41082 Microsoft Exchange Server Remote Code Execution Vulnerability exploitation_technique T1078 Valid Accounts
Comments
This vulnerability is exploited by a remote adversary who has either authenticated to a Microsoft Exchange Server or has gained access to PowerShell prior to leveraging this vulnerability. The adversary then performs remote code execution via PowerShell to install a Chopper web shell to perform Active Directory reconnaissance and data exfiltration.
References
  1. https://www.crowdstrike.com/en-us/blog/owassrf-exploit-analysis-and-recommendations/
  2. https://www.darkreading.com/application-security/ransomware-attackers-bypass-microsoft-mitigation-proxynotshell-exploit
  3. https://www.microsoft.com/en-us/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
  4. https://www.kb.cert.org/vuls/id/915563