## https://sploitus.com/exploit?id=A4F881D3-85FA-580E-9465-AA77CE5B7390
# CVE-2022-47966_checker
Quick and dirty powershell script to look for ManageEngine CVE-2022-47966 IOCs. The script will parse requests in ME HTTP access logs. If a characteristic SAML request is found, it will attempt to decode and extract the attacker's payload. Findings are written to `C:\aceresponder_CVE-2022-47966_checker.csv`. Run as Admin.
Fair warning: these logs don't last long if you have an internet-facing ManageEngine server. The absence of IOCs doesn't mean you're in the clear. Check the oldest log file in `C:\Program Files\ManageEngine\ServiceDesk\logs\access\` for confirmation. Make sure your alerts are up-to-date and hunt for any suspicious activity from the ManageEngine computer account and/or the ME java process.
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_manageengine_pattern.yml
