Detect Exchange Web Shell

Detect Exchange Web Shell

Description

The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: \HttpProxy\owa\auth\, \inetpub\wwwroot\aspnet_client\, and \HttpProxy\OAB\. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation.

   Help

Detect Exchange Web Shell Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node and Filesystem node.

   Search

Open in Search