The Exchange Server zero-day vulnerability became known today and is already being actively exploited. A corresponding defense measure exists and should be implemented as quickly as possible. You can find out how the defense measure is implemented here:
On the website of the company GTSC details about the current attack were mentioned, I have created a small PowerShell script for these IOCs:
write-host "
------------------------------------------------------
Checking for suspicious files...
------------------------------------------------------
"
$SuspiciousFiles = @(
"C:\root\DrSDKCaller.exe",
"C:\Users\Public\all.exe",
"C:\Users\Public\dump.dll",
"C:\Users\Public\ad.exe",
"C:\PerfLogs\gpg-error.exe",
"C:\PerfLogs\cm.exe",
"C:\Program Files\Common Files\system\ado\msado32.tlb"
)
foreach ($SuspiciousFile in $SuspiciousFiles) {
if (test-path $SuspiciousFile) {
write-host "Suspicious File $SuspiciousFile found!" -foregroundcolor red
}
else {
write-host "Suspicious File $SuspiciousFile not found!" -foregroundcolor green
}
}
write-host "
------------------------------------------------------
Checking IIS Logs for IOCs... (this can take some time)
------------------------------------------------------
"
Import-Module WebAdministration
$IISLogdir = (get-item "IIS:\Sites\Default Web Site").logfile.directory
if ($IISLogdir -match "%SystemDrive%") {
$IISLogdir = $IISLogdir.replace("%SystemDrive%","c:")
}
$IOCs = Get-ChildItem -Recurse -Path $IISLogdir -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200'
if ($IOCs) {
write-host "IOC powershell.*autodiscover\.json.*\@.*200 found in IIS Logs" -foregroundcolor red
}
else {
write-host "IOC powershell.*autodiscover\.json.*\@.*200 not found in IIS Logs" -foregroundcolor green
}
write-host "
------------------------------------------------------
Checking for WebShells...
------------------------------------------------------
"
$Webshell1 = [PSCustomObject]@{
ID = 1
Name = "FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx"
Hash = "c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1"
}
$Webshell2 = [PSCustomObject]@{
ID = 2
Name = "FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx"
Hash = "65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5"
}
$Webshell3 = [PSCustomObject]@{
ID = 3
Name = "FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx"
Hash = "b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca"
}
$Webshell4 = [PSCustomObject]@{
ID = 4
Name = "FrontEnd\HttpProxy\owa\auth\errorEE.aspx"
Hash = "be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257"
}
[System.Collections.ArrayList]$WebShellArray = @()
$WebShellArray.Add($Webshell1) | out-null
$WebShellArray.Add($Webshell2) | out-null
$WebShellArray.Add($Webshell3) | out-null
$WebShellArray.Add($Webshell4) | out-null
foreach ($WebShell in $WebShellArray) {
$WebshellPath = "$exinstall" + $WebShell.Name
if (test-path $WebshellPath) {
$FileHash = (Get-FileHash $WebshellPath).Hash.ToLower()
if ($Webshell.Hash -eq $FileHash) {
write-host "WebShell File $WebshellPath found!" -foregroundcolor red
}
else {
write-host "WebShell File $WebshellPath not found!" -foregroundcolor green
}
}
else {
write-host "WebShell File $WebshellPath not found!" -foregroundcolor green
}
}
I have also published the script on GitHub (in case anyone finds bugs or wants to contribute):
Das Script kann in eine Datei mit dem Namen „Search-ExchangeProxyNotShell.ps1“ kopiert werden und auf dem Exchange Server in der Exchange Management Shell mit administrativen Rechten (Run as Admin) ausgeführt werden. Die Ausgabe sieht dann so aus, wenn keine IOCs gefunden wurden:
If an IOC is found, the corresponding position is marked in red (this is just an example):
If a hit occurs, the server should be examined carefully. If in doubt, the server should be reinstalled. This is not a big deal in a DAG and does not restrict Exchange availability. If there is only one server, a few hours of downtime must be planned. The procedure is described here:
Since Microsoft currently speaks of few targeted attacks and therefore apparently no Exchange Emergency Mitigation I would be interested in your results. Are there any readers here with successful attacks or attempted attacks?
Diese Zero-Day Schwachstelle hat übrigens den Namen „ProxyNotShell“, in Anspielung auf die letzte Zero-Day Lücke „ProxyShell“ bekommen.