Try in Splunk Security Cloud

Description

ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2021-08-24
  • Author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
  • ID: 413bb68e-04e2-11ec-a835-acde48001122

Narrative

During Pwn2Own April 2021, a security researcher demonstrated an attack chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher publicly released further details and demonstrated the attack chain. CVE-2021-34473 Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435) Upon successful exploitation, the remote attacker will have SYSTEM privileges on the Exchange Server. In addition to remote access/execution, the adversary may be able to run Exchange PowerShell Cmdlets to perform further actions.

Detections

Name Technique Type
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application TTP
Exchange PowerShell Abuse via SSRF Exploit Public-Facing Application TTP
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
MS Exchange Mailbox Replication service writing Active Server Pages Server Software Component, Web Shell, Exploit Public-Facing Application TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP

Reference

source | version: 1