ID | Technique | Tactic |
---|---|---|
T1190 | Exploit Public-Facing Application | Initial Access |
T1133 | External Remote Services | Initial Access |
Detection: ProxyShell ProxyNotShell Behavior Detected
Description
The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.
Search
1
2| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type
3| `drop_dm_object_name(All_Risk)`
4| `security_content_ctime(firstTime)`
5| `security_content_ctime(lastTime)`
6| where source_count >=5
7| `proxyshell_proxynotshell_behavior_detected_filter`
Data Source
Name | Platform | Sourcetype | Source | Supported App |
---|---|---|---|---|
N/A | N/A | N/A | N/A | N/A |
Macros Used
Name | Value |
---|---|
security_content_ctime | convert timeformat="%Y-%m-%dT%H:%M:%S" ctime($field$) |
proxyshell_proxynotshell_behavior_detected_filter | search * |
proxyshell_proxynotshell_behavior_detected_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | False |
Implementation
To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.
Known False Positives
False positives will be limited, however tune or modify the query as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
ProxyShell or ProxyNotShell activity has been identified on $risk_object$. | 81 | 90 | 90 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | proxyshell |
stash |
Integration | ✅ Passing | Dataset | proxyshell |
stash |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 2