Exchange WebShell Creation

Mar 18, 2025 · attack.t1505.003 attack.persistence attack.t1190 attack.initial-access ·

These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities

Sigma rule (View on GitHub)

 1title: Exchange WebShell Creation
 2id: 3086329b-245b-4b91-a0f7-bed9b5438cf6
 3description: These commands were used to create a WebShell by exploiting ProxyShell vulnerabilities
 4author: 'The DFIR Report'
 5date: 2022-05-14
 6modified: 2024-02-23
 7references:
 8    - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
 9logsource:
10    category: process_creation
11    product: windows
12detection:
13    selection_1:
14        CommandLine|contains: 'New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "administrator@'
15    selection_2:
16        CommandLine|contains|all:
17            - 'New-MailboxExportRequest -Mailbox'
18            - '-FilePath "\\localhost\C$'
19            - '-IncludeFolders ("#Drafts#")'
20            - 'aspx'
21    condition: 1 of selection_*
22falsepositives:
23    - Legitimate Administrator activity
24level: medium
25status: experimental
26tags:
27    - attack.t1505.003
28    - attack.persistence
29    - attack.t1190
30    - attack.initial-access

References

PHOSPHORUS Automates Initial Access Using ProxyShell

In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…

Read More

Exchange WebShell Creation

Sigma rule (View on GitHub)

References

PHOSPHORUS Automates Initial Access Using ProxyShell

Related rules