How to Monitor for ProxyShell Microsoft Exchange Vulnerabilities using Azure Sentinel

Based on recent reporting and evidence its worthwhile to utilize Azure Sentinel to monitor for potential vulnerabilities in ProxyShell for Microsoft Exchange.

See: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit

Here’s a quick KQL query to use to Hunt for this vulnerability in your environment. The query can be turned into an Analytics Rule to automate the hunt.

DeviceFileEvents
| where FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\488617229.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\654253568.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\668544844.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\731294981.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYCESRYBAJPREELGQOQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYSCPPUOWK.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\JVSTGMTCIPJCGR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MQMYUVTNMSZJQEUB.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MWWJJRXXQWDKQGURFMQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\PFLIYH.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RLDVMAGKRJV.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RWXJGN.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\TDIVOXVL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\VQJMZXKL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\XETUQDFHBZXAR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\apfpprmunlpzyhom.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\czhlxfrdbhuqxljd.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\dxtfc.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\eewiq.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\febvx.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\ksrgd.aspx" or FolderPath =="C:\\inetpub\\wwwroot\\aspnet_client\\lsdiv.aspx"

The most current version of this query will always be located in my GitHub repo at: https://cda.ms/2qR

As noted in the repo, this queries DeviceFileEvents which requires Defender for Endpoint connected to Azure Sentinel.

Find ways to improve the query? Let me know @rodtrent

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

Author