The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign

Microsoft has just released a new update to MSERT, which comes with the ability to detect web shells deployed in recent Exchange Server attacks.

The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign

Earlier on March 2, Microsoft publicly disclosed that up to four Exchange Server zero-day vulnerabilities were being abused in a large-scale attack against Outlook servers on the web (Outlook on the web. - OWA) was revealed. These four vulnerabilities are currently being tracked with identifiers CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, respectively.

Known as 'ProxyLogon', these flaws are being thoroughly exploited by Chinese-sponsored hacker groups to steal email messages, collect login credentials, and deploy web shells for access. access to a wide range of targeted intranet systems.

In making this offensive campaign public announcement, Microsoft also released updated signatures for Microsoft Defender to add the ability to detect unauthorized installed web shells by abusing zero vulnerabilities. -day above.

These web shells are detected by Microsoft Defender with the following specific information:

Exploit: Script / Exmann.A! Dha
Behavior: Win32 / Exmann.A
Backdoor: ASP / SecChecker.A
Backdoor: JS / Webshell
Trojan: JS / Chopper! Dha
Behavior: Win32 / DumpLsass.A! Attk
Backdoor: HTML / TwoFaceVar.B

For organizations that don't use Microsoft Defender, the Redmond company has added update signatures to their Microsoft Safety Scanner stand-alone tool to add the ability to find and remove web shells used in hacking campaigns. this work.

Microsoft Safety Scanner helps to remove web shell

Microsoft Safety Scanner, also known as Microsoft Emergency Response Assistant (MSERT), is a portable standalone anti-software tool that includes a Microsoft Defender signature to scan and remove detected malware .

MSERT can be considered as an on-demand scanner and will not provide any real-time protection. Therefore, this tool should only be used for spot scanning and should not be considered as a standalone antivirus program.

Furthermore, MSERT will also automatically delete any detected files and not quarantine them if you don't start the program with the / N argument, as in msert.exe / N. To scan web shells and not delete them, you can also use the PowerShell script described at the end of the article.

The Microsoft Safety Scanner can be downloaded as a 32-bit or 64-bit executable and used to perform on-site scans when needed.

After launching the program, agree to the license agreements and you will be taken to a screen to choose a scan type.

Microsoft generally recommends that users choose the 'Full scan' option to scan the entire server.

The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Picture 1

Depending on the size of your installation, the full scan might take quite a while. Therefore, you can perform a 'Customized scan' of each important folder, such as:

% IIS installation path% aspnet_client *
% IIS installation path% aspnet_clientsystem_web *
% Exchange Server installation path% FrontEndHttpProxyowaauth *
Configured temporary ASP.NET files path
% Exchange Server Installation% FrontEndHttpProxyecpauth *

After the scan is finished, MSERT will report which files have been deleted and their specific names.

The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Picture 2

For more detailed information on which files have been deleted, you can refer to the file% SYSTEMROOT% debugmsert.log, as shown below.

The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Picture 3

Once you're done using MSERT, you can uninstall the tool by deleting the executable msert.exe.

PowerShell scripts support finding web shells

If you want to scan web shells without deleting them, you can use a new PowerShell script called detector_webshells.ps1 created by Latvian CERT.

This script will display files containing specific strings used by web shell, but not Microsoft Exchange, in ProxyLogon attacks. The advantage of detector_webshells.ps is that it will not delete the file and facilitate further analysis later.

The Microsoft MSERT tool can find web shells related to the Exchange Server attack campaign Picture 4

You can find more information on how to use this script in the CERT-LV project's GitHub repository.

In addition, Microsoft has just released a PowerShell script called Test-ProxyLogon.ps1, which can be used to look for intrusion index (IOC) related to ProxyLogon attacks in log files. Exchange and OWA.

The attack on Microsoft Exchange increased while WannaCry showed signs of return
the series of security flaws that have existed for a long time in microsoft exchange and have only recently been patched have attracted a lot of attention from both users and cybercriminals.
6 leading Exchange Server monitoring software
the following article will look at some of the best exchange server monitoring tools to help you monitor server health, mailbox size (mailbox), limits and more.
Introducing Exchange Server 2019, how to install Exchange Server 2019
exchange server 2019 is designed to deliver security, performance, and improved manageability and operations - properties microsoft's biggest customers have come to expect from exchange.
Mobile messaging in Exchange 2003 - Part 3: Installation, administration, and use of Microsoft Exchange Server ActiveSync Web Administration tool
in this article, i will show you how to install and configure the exchange server activesync web administration tool and how to use this tool to perform remote data deletion, check transaction logs. , ...
Exchange Troubleshooting Assistant
in this article we will show you how to use exchange server troubleshooting assistant version 1.0. knowing how to use this tool effectively will predict a large number of exchange serv related issues
Transfer Exchange 2003 to Exchange 2007 (P.6)
in this section, we have configured the settings related to the hub transport function server. in this section we continue to configure the exchange 2007 environment.
Use remote connection analysis tool for Exchange Server - Part 1
in this article we will introduce you to the exchange server remote connectivity analyzer (exrca) tool so that administrators can validate autodiscover, ....
Analysis of disaster recovery perspective and high availability of Exchange Server
email today is very popular and has become a standard tool for communication in many businesses, large and small. microsoft is a software company that has a dominant role in the mail market through its exchange server products. businesses choose exchange's reliability, scalability and performance, besides that
Microsoft continues to 'delay' the plan to launch a new version of Exchange Server for another 4 years
currently, with a focus on security, microsoft has just announced that the next version of exchange server will be released in the second half of 2025.
Microsoft begins offering Exchange Server updates in .exe packages
currently, microsoft has maintained a policy of releasing exchange server security updates (exchange server security updates - su) and hot patches (hotfixes - hf) as windows installer patch files (.msp).
Transfer from Linux Mail Server to Exchange Server 2007 (Part 1)
in exchange server 2003, we can use the exchange migration wizard to switch from an imap4 running environment to active directory and exchange server 2003. in this article, however, i don't want to talk about exchange server 2003 but instead. gi
Discover EMC in Exchange Server 2010 (Part 2)
in the previous article, we learned some new features in exchange server 2010, including: high availability, archiving, federation and sharing.