sigmacriticalHunting

ProxyLogon MSExchange OabVirtualDirectory

Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory

MITRE ATT&CK

T1587.001

resource-development

Detection Query

keywords_cmdlet:
  "|all":
    - OabVirtualDirectory
    - " -ExternalUrl "
keywords_params:
  - eval(request
  - http://f/<script
  - '"unsafe"};'
  - function Page_Load()
condition: keywords_cmdlet and keywords_params

Author

Florian Roth (Nextron Systems)

Created

2021-08-09

Data Sources

windowsmsexchange-management

Platforms

windows

References

https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c

Tags

attack.t1587.001attack.resource-development

Raw Content

title: ProxyLogon MSExchange OabVirtualDirectory
id: 550d3350-bb8a-4ff3-9533-2ba533f4a1c0
status: test
description: Detects specific patterns found after a successful ProxyLogon exploitation in relation to a Commandlet invocation of Set-OabVirtualDirectory
references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: Florian Roth (Nextron Systems)
date: 2021-08-09
modified: 2023-01-23
tags:
    - attack.t1587.001
    - attack.resource-development
logsource:
    product: windows
    service: msexchange-management
detection:
    keywords_cmdlet:
        '|all':
            - 'OabVirtualDirectory'
            - ' -ExternalUrl '
    keywords_params:
        - 'eval(request'
        - 'http://f/<script'
        - '"unsafe"};'
        - 'function Page_Load()'
    condition: keywords_cmdlet and keywords_params
falsepositives:
    - Unlikely
level: critical