Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

MS Exchange Architecture and Primary Attack Vectors

MS Exchange architecture
Source: microsoft.com
  • Mailbox server.
  • A Client Access server, which is a frontend service that proxies client requests to the backend servers.
  • Transport, which is responsible for managing mail traffic.
  • Unified Messaging, which allows voice messaging and other telephony features (the role is not available on version 2019 servers).
  • Management role, which is concerned with administration and flexible configuration of MS Exchange components.
  • Outlook Web Access (OWA) — a web interface for mailbox access and management (read/send/delete mail, edit calendar, etc.).
  • Exchange Control Panel (ECP) — a web interface to administer Exchange components: manage mailboxes, create various policies to manage mail traffic, connect new mail servers, etc.
  • Autodiscover — a service that allows customers to retrieve information about the location of various Exchange server components such as the URL for the EWS service. A user needs to be authenticated before the information can be retrieved.
  • Exchange Web Services (EWS) — an API to provide various applications with access to mailbox components.
  • Exchange ActiveSync (EAS) — a service that allows mobile device users to access and manage their email, calendar, contacts, tasks, etc. without an internet connection.
  • RPC — a client access service that uses the RPC protocol, which runs on top of HTTP.
  • Offline Address Book (OAB) — an offline address book service on the Exchange server that allows Outlook users to cache the contents of the Global Address List (GAL) and access it even when not connected to Exchange.
  • to gain access to confidential information in corporate emails
  • to launch a malicious mailing from the victim company’s addresses to infiltrate the infrastructure of another organisation
  • to compromise user accounts with the the use of Exchange components (successful bruteforce attack or detection of credentials in email correspondence) to infiltrate the company’s network via one of the corporate services
  • to gain foothold into the company network (e.g. by using a web shell on the OWA service)
  • to escalate privileges in the domain by using the Exchange server
  • to disable the Exchange server in order to disrupt internal business processes (e.g. by fully encrypting server data)

Logs and Useful Events

ProxyLogon Vulnerabilities

ProxyLogon vulnerability chain

Detection of CVE-2021–26855 Vulnerability

SOAP request for a list of emails
SOAP request to retrieve an email message
Decoded contents of the email message
  • event_log_source:'EWS' AND AuthenticatedUser end with:'$' AND SoapAction IS NOT NULL AND UserAgent contains:'ExchangeWebServicesProxy/CrossSite/' AND NOT (SoapAction = 'GetUserOofSettings')
Obtaining the FQDN of the mail server
Query Autodiscover for admin email account information
Query MAPI to retrieve the admin SID
Authenticating in ECP as an administrator
  • event_log_source:'IIS' AND cs-method:'POST' AND cs-uri-stem:'/ecp/proxyLogon.ecp' AND cs-username end with:'$'

Detection of CVE-2021–26858, CVE-2021–27065 Vulnerabilities

Changing virtual directory settings for OAB (Default Web Site)
Setting new parameters for the OAB virtual directory (MSExchange Management log)
  • event_log_source:('PowershellAudit' OR 'MSExchangeCMDExec') AND event_id:('1' OR ’800’ OR '4104') AND (Message contains ‘Set-’ AND Message contains ‘VirtualDirectory AND Message contains ‘-ExternalUrl’ AND Message contains ‘script’)
OAB virtual directory reset interface
  • event_log_source:’IIS’ AND http_method:’POST’ AND http_code:'200' AND url_path:'/ecp/DDI/DDIService.svc/SetObject' AND (Message contains 'schema=Reset' AND Message contains 'VirtualDirectory')
  • event_log_source:’IIS’ AND http_method:’POST’ AND http_code:'200' AND url_path:'/ecp/DDI/DDIService.svc/SetObject' AND (Message contains 'schema=Reset' AND Message contains 'VirtualDirectory') AND Username contains '$'
Contents of test.aspx
Executing commands using a downloaded web shell.
  • event_log_source:'Security' AND event_id:'4688' AND proc_parent_file_path end with:'\w3wp.exe' AND proc_file_path end with:('\cmd.exe' OR '\powershell.exe')
Web shell activity in Security log
  • event_log_source:'OABGenerator' AND Message contains 'Download failed and temporary file'

Detection of CVE-2021–26857 Vulnerability

Base64Deserialize method code
A snippet of the FromHeaderFile method
Using the Microsoft.Exchange.UM.UMCore.dll library
  • event_log_source:'Security' AND event_id:'4688' AND proc_parent_file_path end with:'\UMWorkerProcess.exe' AND proc_file_path end with:('\cmd.exe' OR '\powershell.exe')
  • event_log_source:’Sysmon’ AND event_id:'11' AND proc_file_path end with:'\UMWorkerProcess.exe' AND file_name end with:(*.asp OR *.aspx) AND file_path contains:("\ClientAccess\Owa\" OR "\HttpProxy\Owa\" OR "\inetpub\wwwroot\" OR "\www\")

Conclusion

--

--

--

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Social Engineering: Cybersecurity’s Achilles’ Heel

Crowny Exchange Listing

HacktheBox Cereal WriteUp

How to Import and Export Passwords in Google Chrome? — SuperTechman

Coronavirus (Covid-19) Lockdown — How You Can Earn During This Time Using CashApp Referral Code

Introducing Cowbell

Making sense of the GDPR: Balancing privacy, authorized access, and state-of-the-art

3D Secure 2.0 Explained

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
BI.ZONE

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Steve McKeon Gets Personal and Down to Business on Radio America

PwnKit: Local Privilege Escalation Vulnerability Discovered in polkit’s pkexec (CVE-2021–4034)

CYBERSECURITY IN SPACE.

The problem of security safety is people.