Exchange Webshell creation
These commands were used to create a webshell by exploiting ProxyShell vulnerabilities
Sigma rule (View on GitHub)
1title: Exchange Webshell creation
2id: 3086329b-245b-4b91-a0f7-bed9b5438cf6
3description: These commands were used to create a webshell by exploiting ProxyShell vulnerabilities
4author: 'The DFIR Report'
5date: 2022-05-14
6modified: 2024-02-23
7references:
8 - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection_1:
14 CommandLine|contains|all:
15 - 'New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "administrator@'
16 selection_2:
17 CommandLine|contains|all:
18 - 'New-MailboxExportRequest -Mailbox'
19 - '-FilePath "\\localhost\C$'
20 - '-IncludeFolders ("#Drafts#")'
21 - 'aspx'
22 condition: selection_1 or selection_2
23falsepositives:
24 - Legitimate Administrator activity
25level: medium
26status: experimental
27tags:
28 - attack.t1505.003
29 - attack.persistence
30 - attack.t1190
31 - attack.initial_access
References
-
In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…
Read More
Related rules
- Multiple Suspicious Resp Codes Caused by Single Client
- OMIGOD SCX RunAsProvider ExecuteScript
- Webshell Usage with ManageEngine Product
- Suspicious Commands by SQL Server
- QBot process creation from scheduled task REGSVR32 (regsvr32.exe), -s flag and SYSTEM in the command line