ProxyShell & Web Shells

Industry: N/A | Level: Tactical | Source: Mandiant

Mandiant investigations continue to identify exploitation of Microsoft Exchange vulnerabilities as recently as November 2021, with estimates of up to 30,0000 internet-facing servers vulnerable. Threat actor exploits of these vulnerabilities have slightly shifted, "most notably, the writing of web shells via export of exchange certificate requests instead of mailbox exports, and exploitation of the first two vulnerabilities in the exploit chain only to achieve remote PowerShell and create new mailboxes, assign them privileged access to other mailboxes, then access them via Outlook Web Access (OWA)" states the investigation. Three attack paths were observed following the second stage exploitation: a web shell, Microsoft cmdlet (New-ExchangeCertificate to write web shell files) and New-Mailbox/New-RoleGroupMember/Add-MailboxPermission to create a new user to achieve full Exchange administrative capabilities.

• Anvilogic Use Cases
• Potential ProxyShell
• Potential Web Shell
• Web Application File Upload
• Exchange New Export Request