title: Microsoft Exchange Servers exploits - ProxyLogon and ProxyShell
id: 45d2cc7c-2017-4b74-a269-93b4112b19ee
description: |
  `exploit_1` :
    Detects exploitation of CVE-2021-27065 AKA ProxyLogon. The exploitation chains multiple vulnerabilities to drop a webshell in an arbitrary folder.
    The content of the webshell is located between the script tags.
    Example of malicious command: `Set-OabVirtualDirectory -ExternalUrl 'http://f/<script language="JScript" runat="server">function Page_Load(){blabla}</script>'`

  `exploit_2` :
    Detects exploitation of ProxyShell. The exploitation chains multiple vulnerabilities to drop a webshell in an arbitrary folder.
    Example of malicious command: `New-MailBoxExportRequest -Mailbox john.doe@enterprise.corp -FilePath \\127.0.0.1\C$\path\to\webshell.aspx`

  Investigation process:
  - Search for malicious behavior of `w3wp.exe` (uncommon child, memory manipulation...)

status: production
author: ANSSI
references:
# ProxyLogon
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
- https://github.com/hausec/ProxyLogon
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
# ProxyShell
- https://www.cert.ssi.gouv.fr/actualite/CERTFR-2021-ACT-035/
- https://www.mandiant.com/resources/pst-want-shell-proxyshell-exploiting-microsoft-exchange-servers
tags:
- attack.initial_access
- attack.t1190
# ProxyLogon
- cve.2021-27065
# ProxyShell
- cve.2021-34473
- cve.2021-34523
- cve.2021-31207
groups:
- windows-common
logsource:
  product: windows 
  service: msexchange 
  category: cmdletlogs
detection:
  # ProxyLogon
  exploit_1:
    Data|contains|all:
      - Set-OabVirtualDirectory
      - ExternalUrl
      - script
  # ProxyShell
  exploit_2:
    Data|contains|all:
      - 'New-MailboxExportRequest'
      - ' -FilePath'
      - '.aspx'
  condition: 1 of exploit_*
falsepositives:
  - None known
level: critical
fields:
  - signal.original_time
  - host.name
  - Data