question

vallee avatar image
0 Votes"
vallee asked EricYin-MSFT commented

Hafnium Attack - TestProxyLogonScript

Hello,

I am new to Powershell and based on the recent news regarding the Hafnium attack the TestProxyLogonScript was provided to check exchange servers for potential infiltration. Being new to PowerShell, I want to be sure that there is nothing in the script that is meant to change data. Particularly as the disclaimer in the script states is it provided as is without warranty of any kind.

As you can imagine, I don't want to use my exchange server as a test environment. How can I test that script before running it live? Has anyone already run the script and if so, were there any issues?

I have already installed the recommendation patch KB5000871.

In the https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log

Regarding the following I don't see any entries with a pattern of "ServerInfo~/

CVE-2021-26855 exploitation can be detected via the following ExchangeHttpProxy logs:
These logs are located in the following directory:%PROGRAMFILES%\Microsoft\ExchangeServer\V15\Logging\HttpProxy
3/6/2021 HAFNIUM targeting Exchange Servers with 0-day exploits - Microsoft Security
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log 7/17
Exploitation can be identified by searching for log entries where theAuthenticatedUser is empty and the AnchorMailbox contains thepattern of ServerInfo~/

CVE-2021-26858 exploitation can be detected via the Exchange log files:
C:\Program Files\Microsoft\ExchangeServer\V15\Logging\OABGeneratorLog - I don't see files other than the logs here
Files should only be downloaded to the%PROGRAMFILES%\Microsoft\ExchangeServer\V15\ClientAccess\OAB\Temp directory- This folder is empty

Regarding the following I checked the Event Viewer and do not see any events like this.

CVE-2021-26857 exploitation can be detected via the Windows Application event logs
Exploitation of this deserialization bug will create Application events with the following properties:
Source: MSExchange Unified Messaging
EntryType: Error
Event Message Contains: System.InvalidCastException

Regarding the following I don't see any non-internal or External URLs

CVE-2021-27065 exploitation can be detected via the following Exchange log files:
C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server
All Set-<AppName>VirtualDirectory properties should never contain script. InternalUrl and ExternalUrl should only be valid Uris.

I also see the reference to run the Microsoft Safety Scanner at https://github.com/microsoft/CSS-Exchange/blob/main/Security/Defender-MSERT-Guidance.md. I did run this on the exchange server and it stated no vulnerabilities were found. Does this mean my exchange environment was not compromised?

Thanks,
Roger

office-exchange-server-administration
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered

So you have passed all the tests in the doc except Test-ProxyLogon.ps1?
I searched "set" in the script and did not find any obvious command that changes data.
As I know, the script does not have a "-whatif" switch as normal command does, I ran it in my server and got passed:
76071-microsoftteams-image-6.png


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.




microsoftteams-image-6.png (1.1 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vallee avatar image
0 Votes"
vallee answered EricYin-MSFT commented

Hello,

I ran the Test-ProxyLogon.ps1 script and it found the following: Does this mean a successful infiltration?



ComputerName Type Path Name
ServerName SuspiciousArchive C:\ProgramData\Symantec\Symantec Endpoint Protection\14.2.758.0000.105\Data\Lue\Downloads\sepc$20virus$20r$20definitions$20sds$20win64$20$28x64$29$2014.2_microdefsb.curdefs_symalllanguages_livetri.zip sepc$20virus$20r$20definitions$20sds$20win64$20$28x64$29$2014.2_microdefsb.curdefs_symalllanguages_livetri.zip

ServerName SuspiciousArchive C:\ProgramData\Symantec\Symantec Endpoint Protection\CurrentVersion\Data\Lue\Downloads\sepc$20virus$20r$20definitions$20sds$20win64$20$28x64$29$2014.2_microdefsb.curdefs_symalllanguages_livetri.zip sepc$20virus$20r$20definitions$20sds$20win64$20$28x64$29$2014.2_microdefsb.curdefs_symalllanguages_livetri.zip



DateTime RequestId ClientIpAddress UrlHost UrlStem RoutingHint UserAgent AnchorMailbox HttpStatus
2021-02-28T16:20:52.341Z 8fa1a7b1-bd5f-44d8-9ef4-10c6b0ae7b43 161.35.1.225 XXXXX /ecp/y.js X-BEResource-Cookie ExchangeServicesClient/0.0.0.0 ServerInfo~a]@ServerName.Domain.com:444/autodiscover/autodiscover.xml?# 200

2021-03-02T21:33:29.638Z 2aa1217f-aa0f-4fb6-9dbe-0c149567b369 157.230.221.198 XXXXX /ecp/y.js X-BEResource-Cookie ExchangeServicesClient/0.0.0.0 ServerInfo~a]@ServerName.Domain.com:444/autodiscover/autodiscover.xml?# 200

2021-03-02T21:33:30.090Z ebf6f67f-5a9c-4526-92ef-72872c2c8301 157.230.221.198 XXXXX /ecp/y.js X-BEResource-Cookie Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.169 Safari/537.36 ServerInfo~a]@ServerName.Domain.com:444/mapi/emsmdb/?# 200

2021-03-02T21:33:30.622Z 5fe8933f-6905-4b00-acd9-dfa719f4188a 157.230.221.198 XXXXX /ecp/y.js X-BEResource-Cookie Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.169 Safari/537.36 ServerInfo~a]@ServerName.Domain.com:444/ecp/proxyLogon.ecp?# 241

2021-03-02T21:33:33.627Z c3bdeadd-32fe-4e3b-9857-7ba8a5374f44 157.230.221.198 XXXXX /ecp/y.js X-BEResource-Cookie Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.169 Safari/537.36 ServerInfo~a]@ServerName.Domain.com:444/ecp/DDI/DDIService.svc/GetObject?msExchEcpCanary=mfN2bmbO5UqiyRYhqwafZstCyydV39gIVtfzAUzHN1ciP2FdY7zZlGDljo6-njXdZps86Y-dVDk.&schema=OABVirtualDirectory# 500

2021-03-07T01:12:22.924Z 58435659-e4e0-4cc2-9920-fa055e6bc5b5 159.89.95.163 localhost /ecp/default.flt X-BEResource-Cookie Mozilla/5.0 zgrab/0.x ServerInfo~localhost/owa/auth/logon.aspx? 500

2021-03-07T01:12:22.926Z 58435659-e4e0-4cc2-9920-fa055e6bc5b5 159.89.95.163 XXXXX /owa/auth/x.js X-AnonResource-Backend-Cookie Mozilla/5.0 zgrab/0.x ServerInfo~localhost/ecp/default.flt? 500

Thanks

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vallee avatar image vallee ·

I did also run the Microsoft Safety Scanner as recommended in one of several articles. However, the results of the scan did not indicate any malicious files.

0 Votes 0 ·
EricYin-MSFT avatar image EricYin-MSFT ·

The script will flag any zip/7x/rar files that it finds in ProgramData. As noted in this blog post, web shells have been observed using such files for exfiltration. An administrator should review the files to determine if they are valid. Determining if a zip file is a valid part of an installed product is outside the scope of this script, and whitelisting files by name would only encourage the use of those specific names by attackers.


0 Votes 0 ·