Based on recent reporting and evidence its worthwhile to utilize Azure Sentinel to monitor for potential vulnerabilities in ProxyShell for Microsoft Exchange.
See: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
Here’s a quick KQL query to use to Hunt for this vulnerability in your environment. The query can be turned into an Analytics Rule to automate the hunt.
DeviceFileEvents
| where FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\488617229.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\654253568.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\668544844.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\731294981.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYCESRYBAJPREELGQOQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYSCPPUOWK.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\JVSTGMTCIPJCGR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MQMYUVTNMSZJQEUB.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MWWJJRXXQWDKQGURFMQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\PFLIYH.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RLDVMAGKRJV.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RWXJGN.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\TDIVOXVL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\VQJMZXKL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\XETUQDFHBZXAR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\apfpprmunlpzyhom.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\czhlxfrdbhuqxljd.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\dxtfc.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\eewiq.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\febvx.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\ksrgd.aspx" or FolderPath =="C:\\inetpub\\wwwroot\\aspnet_client\\lsdiv.aspx"
The most current version of this query will always be located in my GitHub repo at: https://cda.ms/2qR
As noted in the repo, this queries DeviceFileEvents which requires Defender for Endpoint connected to Azure Sentinel.
Find ways to improve the query? Let me know @rodtrent
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
You must log in to post a comment.