Quick and dirty powershell script to look for ManageEngine CVE-2022-47966 IOCs. The script will parse requests in ME HTTP access logs. If a characteristic SAML request is found, it will attempt to decode and extract the attacker's payload. Findings are written to `C:\aceresponder_CVE-2022-47966_checker.csv`. Run as Admin.
Fair warning: these logs don't last long if you have an internet-facing ManageEngine server. The absence of IOCs doesn't mean you're in the clear. Check the oldest log file in `C:\Program Files\ManageEngine\ServiceDesk\logs\access\` for confirmation. Make sure your alerts are up-to-date and hunt for any suspicious activity from the ManageEngine computer account and/or the ME java process.