⚠️ WARNING THIS IS A EXPERIMENTAL DETECTION
We have not been able to test, simulate or build datasets for it, use at your own risk!
This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers.
Modification of this analytic is requried to ensure fields are mapped accordingly.
A suspicious event will have
PowerShell, the method
autodiscover.json. This is indicative of accessing PowerShell on the back end of Exchange with SSRF.
An event will look similar to
POST /autodiscover/autodiscover.json firstname.lastname@example.org/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d... (abbreviated)
Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2021-08-27
- Author: Michael Haag, Splunk
- ID: 29228ab4-0762-11ec-94aa-acde48001122
|T1190||Exploit Public-Facing Application||Initial Access|
| `exchange` c_uri="*//autodiscover.json*" cs_uri_query="*PowerShell*" cs_method="POST" | stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `exchange_powershell_abuse_via_ssrf_filter`
Associated Analytic Story
How To Implement
The following analytic requires on-premise Exchange to be logging to Splunk using the TA - https://splunkbase.splunk.com/app/3225. Ensure logs are parsed correctly, or tune the analytic for your environment.
Kill Chain Phase
Known False Positives
Limited false positives, however, tune as needed.
|80.0||80||100||Activity related to ProxyShell has been identified on $dest$. Review events and take action accordingly.|
source | version: 1