ProxyShell

Try in Splunk Security Cloud

Description

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint, Risk, Web
• Last Updated: 2021-08-24
• Author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
• ID: 413bb68e-04e2-11ec-a835-acde48001122

Narrative

During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.

Detections

Name	Technique	Type
Detect Exchange Web Shell	Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services	TTP
Detect Webshell Exploit Behavior	Server Software Component, Web Shell	TTP
Exchange PowerShell Abuse via SSRF	Exploit Public-Facing Application, External Remote Services	TTP
Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
MS Exchange Mailbox Replication service writing Active Server Pages	Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services	TTP
ProxyShell ProxyNotShell Behavior Detected	Exploit Public-Facing Application, External Remote Services	Correlation
W3WP Spawning Shell	Server Software Component, Web Shell	TTP
Windows Exchange Autodiscover SSRF Abuse	Exploit Public-Facing Application, External Remote Services	TTP
Windows Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
Windows MSExchange Management Mailbox Cmdlet Usage	Command and Scripting Interpreter, PowerShell	Anomaly

Reference

• https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/
• https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
• https://www.youtube.com/watch?v=FC6iHw258RI
• https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do
• https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf
• https://www.inversecos.com/2022/07/hunting-for-apt-abuse-of-exchange.html

source | version: 1