type: trigger
#debug: true
name: crowdsecurity/CVE-2022-37042
description: "Detect CVE-2022-37042 exploits"
filter: |
  (
  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&ow=2&no-switch=1&append=1') ||
  Upper(evt.Meta.http_path) contains Upper('/service/extension/backup/mboximport?account-name=admin&account-status=1&ow=cmd') 
  )
  and evt.Meta.http_status startsWith ('40') and
  Upper(evt.Meta.http_verb) == 'POST'

blackhole: 2m
groupby: "evt.Meta.source_ip"
labels:
  type: exploit
  remediation: true
  classification:
    - attack.T1595
    - attack.T1190
    - cve.CVE-2022-37042
  spoofable: 0
  confidence: 3
  behavior: "http:exploit"
  label: "ZCS CVE-2022-37042"
  service: zimbra