This artifact hunts for CVE-2021-27065 (Microsoft Exchange ProxyLogon RCE) and CVE-2021-31207 (Microsoft Exchange ProxyShell RCE) exploitation by parsing entries in the ‘MSExchange Management.evtx’ log.
This log file is unique to Exchange and can be useful when ECP logs are no longer available.
ProxyLogon webshell detection syntax is specific to ‘China Chopper’ via the PowerShell ‘Set-OabVirtualDirectory’ cmdlet.
ProxyShell webshell detection syntax is specific to PowerShell ‘New-MailboxExportRequest’ and ‘New-ExchangeCertificate’ cmdlets.
name: Windows.Detection.ProxyLogon.ProxyShell
description: |
This artifact hunts for CVE-2021-27065 (Microsoft Exchange ProxyLogon RCE)
and CVE-2021-31207 (Microsoft Exchange ProxyShell RCE) exploitation by parsing
entries in the 'MSExchange Management.evtx' log.
This log file is unique to Exchange and can be useful when ECP logs are
no longer available.
ProxyLogon webshell detection syntax is specific to
'China Chopper' via the PowerShell 'Set-OabVirtualDirectory' cmdlet.
ProxyShell webshell detection syntax is specific to PowerShell
'New-MailboxExportRequest' and 'New-ExchangeCertificate' cmdlets.
author: Deepak Sharma - @rxurien
type: CLIENT
reference:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.mandiant.com/resources/change-tactics-proxyshell-vulnerabilities
precondition: SELECT OS From info() where OS = 'windows'
parameters:
- name: LogFile
default: C:/Windows/System32/Winevt/Logs/MSExchange Management.evtx
description: Default EVTX Path
sources:
- queries:
- SELECT timestamp(epoch=int(int=System.TimeCreated.SystemTime)) as CreationTime,
System.Channel as Channel,
System.EventID.Value as EventID,
Message,
EventData.Data[0] as Cmdlet,
EventData.Data[1] as Payload,
EventData
FROM parse_evtx(filename=LogFile)
WHERE (((Message =~ "new-mailboxexportrequest"or Message =~ "new-exchangecertificate") and Message =~ "aspx") or
((Cmdlet =~ "new-mailboxexportrequest" or Cmdlet =~ "new-exchangecertificate") and Payload =~ "aspx") or
(Message =~ "set-oabvirtualdirectory" and Message =~ "script") or (Cmdlet =~ "set-oabvirtualdirectory" and Payload =~ "script"))