EXPLORE
Sign In
← Back to Explore
splunk_escuCorrelation

ProxyShell ProxyNotShell Behavior Detected

The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.

MITRE ATT&CK

T1190T1133
initial-accesspersistence

Detection Query

| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories FROM datamodel=Risk.All_Risk
  WHERE All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
    OR
    (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
    AND
    All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system"
  BY _time span=1h All_Risk.risk_object
     All_Risk.risk_object_type
| `drop_dm_object_name(All_Risk)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where source_count >=5
| `proxyshell_proxynotshell_behavior_detected_filter`

Author

Michael Haag, Splunk

Created

2026-02-25

References

Tags

ProxyShellProxyNotShellSeashell Blizzard
Raw Content
name: ProxyShell ProxyNotShell Behavior Detected
id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf
version: 8
date: '2026-02-25'
author: Michael Haag, Splunk
status: production
type: Correlation
description: The following analytic identifies potential exploitation of Windows Exchange servers via ProxyShell or ProxyNotShell vulnerabilities, followed by post-exploitation activities such as running nltest, Cobalt Strike, Mimikatz, and adding new users. It leverages data from multiple analytic stories, requiring at least five distinct sources to trigger, thus reducing noise. This activity is significant as it indicates a high likelihood of an active compromise, potentially leading to unauthorized access, privilege escalation, and persistent threats within the environment. If confirmed malicious, attackers could gain control over the Exchange server, exfiltrate data, and maintain long-term access.
data_source: []
search: |-
    | tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories FROM datamodel=Risk.All_Risk
      WHERE All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
        OR
        (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell")
        AND
        All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system"
      BY _time span=1h All_Risk.risk_object
         All_Risk.risk_object_type
    | `drop_dm_object_name(All_Risk)`
    | `security_content_ctime(firstTime)`
    | `security_content_ctime(lastTime)`
    | where source_count >=5
    | `proxyshell_proxynotshell_behavior_detected_filter`
how_to_implement: To implement this correlation, you will need to enable ProxyShell, ProxyNotShell and Cobalt Strike analytic stories (the anaytics themselves) and ensure proper data is being collected for Web and Endpoint datamodels. Run the correlation rule seperately to validate it is not triggering too much or generating incorrectly. Validate by running ProxyShell POC code and Cobalt Strike behavior.
known_false_positives: False positives will be limited, however tune or modify the query as needed.
references:
    - https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html
    - https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/
drilldown_searches:
    - name: View the detection results for - "$risk_object$"
      search: '%original_detection_search% | search  risk_object = "$risk_object$"'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
    - name: View risk events for the last 7 days for - "$risk_object$"
      search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$risk_object$") starthoursago=168  | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
      earliest_offset: $info_min_time$
      latest_offset: $info_max_time$
tags:
    analytic_story:
        - ProxyShell
        - ProxyNotShell
        - Seashell Blizzard
    asset_type: Web Server
    mitre_attack_id:
        - T1190
        - T1133
    product:
        - Splunk Enterprise
        - Splunk Enterprise Security
        - Splunk Cloud
    security_domain: network
tests:
    - name: True Positive Test
      attack_data:
        - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1190/proxyshell/proxyshell-risk.log
          source: proxyshell
          sourcetype: stash