Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

MS Exchange Architecture and Primary Attack Vectors

MS Exchange architecture

Logs and Useful Events

ProxyLogon Vulnerabilities

ProxyLogon vulnerability chain

Detection of CVE-2021–26855 Vulnerability

SOAP request for a list of emails
SOAP request to retrieve an email message
Decoded contents of the email message
Obtaining the FQDN of the mail server
Query Autodiscover for admin email account information
Query MAPI to retrieve the admin SID
Authenticating in ECP as an administrator

Detection of CVE-2021–26858, CVE-2021–27065 Vulnerabilities

Changing virtual directory settings for OAB (Default Web Site)
Setting new parameters for the OAB virtual directory (MSExchange Management log)
OAB virtual directory reset interface

2021-03-10 08:16:52 POST /ecp/DDI/DDIService.svc/SetObject ActivityCorrelationID=d874fdcd-bd9d-9545-af02-677d356f1aa9&schema=ResetOABVirtualDirectory
444 LAB\dadmin Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/89.0.4389.82+Safari/537.36
https://exchange/ecp/VDirMgmt/ResetVirtualDirectory.aspx?pwmcid=6&ReturnObjectType=1&id=7a466ca6-419b-4445-9cc8-ae66a6bff719&schema=ResetOABVirtualDirectory 200 0 0 7

Contents of test.aspx
Executing commands using a downloaded web shell.
Web shell activity in Security log

Detection of CVE-2021–26857 Vulnerability

Base64Deserialize method code
A snippet of the FromHeaderFile method
Using the Microsoft.Exchange.UM.UMCore.dll library




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store