Exchange Webshell creation

Feb 23, 2024 · attack.t1505.003 attack.persistence attack.t1190 attack.initial_access ·

These commands were used to create a webshell by exploiting ProxyShell vulnerabilities

Sigma rule (View on GitHub)

 1title: Exchange Webshell creation
 2id: 3086329b-245b-4b91-a0f7-bed9b5438cf6
 3description: These commands were used to create a webshell by exploiting ProxyShell vulnerabilities
 4author: 'The DFIR Report'
 5date: 2022-05-14
 6modified: 2024-02-23
 7references:
 8    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection_1:
14        CommandLine|contains|all:
15            - 'New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "administrator@'
16    selection_2:
17        CommandLine|contains|all:
18            - 'New-MailboxExportRequest -Mailbox'
19            - '-FilePath "\\localhost\C$'
20            - '-IncludeFolders ("#Drafts#")'
21            - 'aspx'
22    condition: selection_1 or selection_2
23falsepositives:
24    - Legitimate Administrator activity
25level: medium
26status: experimental
27tags:
28    - attack.t1505.003
29    - attack.persistence
30    - attack.t1190
31    - attack.initial_access

References

PHOSPHORUS Automates Initial Access Using ProxyShell

In this intrusion, we observed the initial exploitation of the ProxyShell vulnerabilities followed by some further post-exploitation activity, which included web shells, credential dumping, and specialized payloads.

Read More

Exchange Webshell creation

Sigma rule (View on GitHub)

References

PHOSPHORUS Automates Initial Access Using ProxyShell

Related rules