Try in Splunk Security Cloud

Description

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-08-24
  • Author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
  • ID: 413bb68e-04e2-11ec-a835-acde48001122

Narrative

During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. \

  1. CVE-2021-34473 - Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) \
  2. CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) \
  3. CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)
    Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.

Detections

Name Technique Type
Detect Exchange Web Shell Server Software Component, Web Shell TTP
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP

Reference

source | version: 1