Hunting Down MS Exchange Attacks. Part 2 (CVE-2020–0688, CVE-2020–16875, CVE-2021–24085)

Logs and Useful Events

Detecting Exploitation of CVE-2020–0688

web.config file fragment
Running ysoserial utility
Cookie settings for the user authorised on the ECP service
Server response when CVE-2020–0688 is exploited
ViewState decoded
CVE-2020–0688 (IIS) exploitation event
CVE-2020–0688 (Application log) exploitation result

Detecting Exploitation of CVE-2020–16875

Adding user dadmin to group dlp users (MSExchange Management log)
Successful exploitation of CVE-2020–16875
New DLP policy creation event (MSExchange Management log)
Process start event (Security log)
Code snippet for creating a remote PowerShell session
Running New-DlpPolicy within a remote PowerShell session
whoami process start event

Detecting Exploitation of CVE-2021–24085

YellowCanary — a project coded in C# that is responsible for generating the token.

Poc.js — the JavaScript payload placed by the attacker on a monitored web server designed to lure the Exchange administrator.

Successful export of the certificate
Generating the msExchEcpCanary parameter
Adding a new add-in via the ECP interface
Adding an add-in using JavaScript




Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store