Windows.Detection.ProxyLogon.ProxyShell :: Velociraptor

Windows.Detection.ProxyLogon.ProxyShell

This artifact hunts for CVE-2021-27065 (Microsoft Exchange ProxyLogon RCE) and CVE-2021-31207 (Microsoft Exchange ProxyShell RCE) exploitation by parsing entries in the ‘MSExchange Management.evtx’ log.

This log file is unique to Exchange and can be useful when ECP logs are no longer available.

ProxyLogon webshell detection syntax is specific to ‘China Chopper’ via the PowerShell ‘Set-OabVirtualDirectory’ cmdlet.

ProxyShell webshell detection syntax is specific to PowerShell ‘New-MailboxExportRequest’ and ‘New-ExchangeCertificate’ cmdlets.


name: Windows.Detection.ProxyLogon.ProxyShell
description: |
  This artifact hunts for CVE-2021-27065 (Microsoft Exchange ProxyLogon RCE)
  and CVE-2021-31207 (Microsoft Exchange ProxyShell RCE) exploitation by parsing 
  entries in the 'MSExchange Management.evtx' log.

  This log file is unique to Exchange and can be useful when ECP logs are
  no longer available. 
  
  ProxyLogon webshell detection syntax is specific to 
  'China Chopper' via the PowerShell 'Set-OabVirtualDirectory' cmdlet.
  
  ProxyShell webshell detection syntax is specific to PowerShell 
  'New-MailboxExportRequest' and 'New-ExchangeCertificate' cmdlets.

author: Deepak Sharma - @rxurien

type: CLIENT

reference:
  - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
  - https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities

precondition: SELECT OS From info() where OS = 'windows'

parameters:
  - name: LogFile
    default: C:/Windows/System32/Winevt/Logs/MSExchange Management.evtx
    description: Default EVTX Path

sources:
  - queries:
      - SELECT timestamp(epoch=int(int=System.TimeCreated.SystemTime)) as CreationTime,
            System.Channel as Channel,
            System.EventID.Value as EventID,
            Message,
            EventData.Data[0] as Cmdlet,
            EventData.Data[1] as Payload,
            EventData
               
        FROM parse_evtx(filename=LogFile)

        WHERE (((Message =~ "new-mailboxexportrequest"or Message =~ "new-exchangecertificate") and Message =~ "aspx") or 
              ((Cmdlet =~ "new-mailboxexportrequest" or Cmdlet =~ "new-exchangecertificate") and Payload =~ "aspx") or 
              (Message =~ "set-oabvirtualdirectory" and Message =~ "script") or (Cmdlet =~ "set-oabvirtualdirectory" and Payload =~ "script"))