Microsoft Exchange ProxyShell Attack Detection

[post-views]
August 10, 2021 · 4 min read
Microsoft Exchange ProxyShell Attack Detection

Thousands of Microsoft Exchange servers remain vulnerable to ProxyShell remote code execution vulnerabilities despite the patches issued in April-May. To make things even worse, security researchers are observing a significant spike in scans for vulnerable Exchange servers, after the technical overview of the ProxyShell attack was revealed at the Black Hat conference on August 4-5, 2021.

What Are ProxyShell Bugs?

ProxyShell is a single name for three separate flaws that, if chained, allow unauthenticated hackers to perform remote code execution (RCE) on vulnerable Microsoft Exchange servers. The first bug (CVE-2021-34473) is a pre-auth patch confusion issue that results in ACL bypass. The second flaw (CVE-2021-34523) is an elevation of privilege on the Exchange PowerShell backend. And finally, the third issue (CVE-2021-31207) is a post-auth arbitrary-file-write misconfiguration that leads to RCE. The combination of these misconfigurations might be leveraged through Microsoft Exchange’s Client Access Service (CAS) running on port 443 in IIS.

The bugs were identified and analyzed by security researcher Orange Tsai in April 2021. Further, at the Black Hat conference, Tsai provided an overview of the attack kill chain and technical details of the flaws. Particularly, the expert explained that the ProxyShell attack compromises the Microsoft Exchange Autodiscover service meant to simplify auto-configuration of mail client software.

Tsai’s Black Hat presentation inspired PeterJson and Jang security researchers to publish an in-depth overview of the ProxyShell attack and a step-by-step description of the attack kill chain.

Now, with the details revealed and the kill chain described, adversaries are actively scanning for vulnerable Microsoft Exchange servers to leverage the combination of flaws in the wild. So far, hackers aren’t very prolific in their attempts, yet we will probably see an avalanche of successful exploitation attempts soon. Moreover, despite the patches being available since April 2021, over 30,000 Exchange servers remain vulnerable to date, motivating attackers to proceed with their malicious actions.

ProxyShell Attack Detection and Mitigation

Although ProxyShell flaws were publicly disclosed in July, Microsoft has fixed these notorious vulnerabilities back in April-May 2021. Particularly, CVE-2021-34473 and CVE-2021-34523 were silently addressed in April’s Microsoft Exchange KB5001779 cumulative update. And CVE-2021-31207 was patched with the release of KB5003435. Administrators are urged to patch the servers as soon as possible to prevent the devastating consequences of the ProxyShell attack.

To help security practitioners withstand the ProxyShell attacks and detect possible malicious activity inside the network, security experts Florian Roth and Rich Warren have released dedicated Sigma rules. Download these SOC content items for free right from Threat Detection Marketplace:

Exchange ProxyShell Pattern

This rule written by Florian Roth and Rich Warren detects URP patterns that could be found in ProxyShell exploitation attempts against Exchange servers.

SIEM & SECURITY ANALYTICS: Azure Sentinel, Chronicle Security, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Graylog, Regex Grep, Humio, RSA NetWitness, FireEye, Apache Kafka ksqlDB, Securonix

The rule is mapped to MITRE ATT&CK® Framework addressing the Initial Access tactics and the Exploit Public-Facing Application technique (T1190). 

Suspicious PowerShell Mailbox Export to Share

This rule written by Florian Roth detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations.

SIEM & SECURITY ANALYTICS: Azure Sentinel, Chronicle Security, ArcSight, QRadar, Splunk, Sumo Logic, ELK Stack, LogPoint, Graylog, Regex Grep, Humio, SentinelOne, CrowdStrike, Microsoft Powershell, Microsoft Defender ATP, Carbon Black, RSA NetWitness, FireEye, Apache Kafka ksqlDB, Securonix

The rule is mapped to MITRE ATT&CK® Framework addressing the Collection tactics and the Email Collection technique (T1114). 

Subscribe to Threat Detection Marketplace for free and reach the industry-leading Content-as-a-Service (CaaS) platform that powers complete CI/CD workflow for threat detection. Our library aggregates over 100K qualified, cross-vendor, and cross-tool SOC content items mapped directly to CVE and MITRE ATT&CK® frameworks. Enthusiastic to craft your own Sigma rules? Join our Threat Bounty program and get rewarded for your input!

Go to Platform Join Threat Bounty

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts