Home
Tech info
Technology
Science
Life
Application
Electric
Program
Mobile
Windows 10
Windows 11The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign
Earlier on March 2, Microsoft publicly disclosed that up to four Exchange Server zero-day vulnerabilities were being abused in a large-scale attack against Outlook servers on the web (Outlook on the web. - OWA) was revealed. These four vulnerabilities are currently being tracked with identifiers CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, respectively.
Known as 'ProxyLogon', these flaws are being thoroughly exploited by Chinese-sponsored hacker groups to steal email messages, collect login credentials, and deploy web shells for access. access to a wide range of targeted intranet systems.
In making this offensive campaign public announcement, Microsoft also released updated signatures for Microsoft Defender to add the ability to detect unauthorized installed web shells by abusing zero vulnerabilities. -day above.
These web shells are detected by Microsoft Defender with the following specific information:
- Exploit: Script / Exmann.A! Dha
- Behavior: Win32 / Exmann.A
- Backdoor: ASP / SecChecker.A
- Backdoor: JS / Webshell
- Trojan: JS / Chopper! Dha
- Behavior: Win32 / DumpLsass.A! Attk
- Backdoor: HTML / TwoFaceVar.B
For organizations that don't use Microsoft Defender, the Redmond company has added update signatures to their Microsoft Safety Scanner stand-alone tool to add the ability to find and remove web shells used in hacking campaigns. this work.
Microsoft Safety Scanner helps to remove web shell
Microsoft Safety Scanner, also known as Microsoft Emergency Response Assistant (MSERT), is a portable standalone anti-software tool that includes a Microsoft Defender signature to scan and remove detected malware .
MSERT can be considered as an on-demand scanner and will not provide any real-time protection. Therefore, this tool should only be used for spot scanning and should not be considered as a standalone antivirus program.
Furthermore, MSERT will also automatically delete any detected files and not quarantine them if you don't start the program with the / N argument, as in msert.exe / N. To scan web shells and not delete them, you can also use the PowerShell script described at the end of the article.
The Microsoft Safety Scanner can be downloaded as a 32-bit or 64-bit executable and used to perform on-site scans when needed.
After launching the program, agree to the license agreements and you will be taken to a screen to choose a scan type.
Microsoft generally recommends that users choose the 'Full scan' option to scan the entire server.
Depending on the size of your installation, the full scan might take quite a while. Therefore, you can perform a 'Customized scan' of each important folder, such as:
- % IIS installation path% aspnet_client *
- % IIS installation path% aspnet_clientsystem_web *
- % Exchange Server installation path% FrontEndHttpProxyowaauth *
- Configured temporary ASP.NET files path
- % Exchange Server Installation% FrontEndHttpProxyecpauth *
After the scan is finished, MSERT will report which files have been deleted and their specific names.
For more detailed information on which files have been deleted, you can refer to the file% SYSTEMROOT% debugmsert.log, as shown below.
Once you're done using MSERT, you can uninstall the tool by deleting the executable msert.exe.
PowerShell scripts support finding web shells
If you want to scan web shells without deleting them, you can use a new PowerShell script called detector_webshells.ps1 created by Latvian CERT.
This script will display files containing specific strings used by web shell, but not Microsoft Exchange, in ProxyLogon attacks. The advantage of detector_webshells.ps is that it will not delete the file and facilitate further analysis later.
You can find more information on how to use this script in the CERT-LV project's GitHub repository.
In addition, Microsoft has just released a PowerShell script called Test-ProxyLogon.ps1, which can be used to look for intrusion index (IOC) related to ProxyLogon attacks in log files. Exchange and OWA.
David PacYou should read it
- Learn about the Security Configuration Wizard in Exchange Server 2007 - Part 1
- What is 51% attack? How does 51% attack work?
- Public Folder management in Exchange 2007
- Transfer from Linux Mail Server to Exchange Server 2007 (Part 1)
- Discover EMC in Exchange Server 2010 (Part 2)
- Switch from Exchange 2000/2003 to Exchange Server 2007 (part 1)
- Transfer Exchange 2003 to Exchange 2007 (Part 2)
- Microsoft continues to 'delay' the plan to launch a new version of Exchange Server for another 4 years
May be interested
- Transfer from Linux Mail Server to Exchange Server 2007 (Part 1)
in exchange server 2003, we can use the exchange migration wizard to switch from an imap4 running environment to active directory and exchange server 2003. in this article, however, i don't want to talk about exchange server 2003 but instead. gi - Discover EMC in Exchange Server 2010 (Part 2)in the previous article, we learned some new features in exchange server 2010, including: high availability, archiving, federation and sharing.
- Switch from Exchange 2000/2003 to Exchange Server 2007 (part 1)how is the conversion from exchange server 2000 or exchange server 2003 to exchange server 2007 done? you will have to move data from every available exchange server in the exchange organization to the new exchange 2007 servers after having them shut down.
- Learn about the Security Configuration Wizard in Exchange Server 2007 - Part 1in the following article, we will introduce you some basic characteristics of security configuration wizard - scw of exchange server 2007, with the main purpose of minimizing the possibility of attack on the system. exchange server by turning off services, ports, features and programs is not really necessary ...
- Enterprise e-mail management with Exchange Server 2010exchange server is a server software developed by microsoft that specializes in e-mail solutions and information exchange within businesses.
- Transfer Exchange 2003 to Exchange 2007 (Part 2)in this article, we will continue the process to build the exchange 2007 system starting with the installation of the hub transport and client access server.
- Checking Exchange Server 2007 with MOM 2005 (Part 1)the main goal of this series is to show you how a mom 2005 sp1 tool supports the exchange server 2007 environment. exchange server 2007 has five separate roles (roles) and we will check to see the status of the root
- Detecting APT attack campaign on important national infrastructure on Tet holidaythe main purpose of hackers is to gain user control, then through it to attack internal computer systems to steal important information.
- Mailbox Exchange 2007 SP1 management featuresone of the biggest frustrations with the exchange server 2007 rtm version is the lack of ability to export the mailbox to a personal folder file (.pst) with the export-mailbox cmdlet. although the microsoft exchange server 2003 mailbox merge wizard (exmerge) tool allows us to extract data from an exchange 2007 mailbox to a pst file, this scenario is still not checked.
- Additions for Exchange Server 2007 - Part 2: Default protectionbefore you begin, note that this article is based on the beta version of windows server 2008 and exchange server 2007 sp1, so it may have some features changed or removed in the final versions. same of products.
Attack the network
- Detecting a new ransomware strain, not asking for data ransom, but only needing the victim to join the Hacker's Discord server
- Phishing attack: The most common techniques used to attack your PC
- Masslogger - malicious code possesses the ability to steal all the login information of Chrome, Edge Outlook of the target
- Warning: The malware campaign hides the shadow of gift emails from Amazon
- Google Project Zero reveals a serious privilege escalation vulnerability in Windows
- What is Ransomware Task Force (RTF)?
Detecting a new ransomware strain, not asking for data ransom, but only needing the victim to join the Hacker's Discord server
Phishing attack: The most common techniques used to attack your PC
Masslogger - malicious code possesses the ability to steal all the login information of Chrome, Edge Outlook of the target
Warning: The malware campaign hides the shadow of gift emails from Amazon
Google Project Zero reveals a serious privilege escalation vulnerability in Windows
What is Ransomware Task Force (RTF)?