Detect Exchange Web Shell

Detect Exchange Web Shell


The following query identifies suspicious .aspx created in 3 paths identified by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM group and recently disclosed vulnerablity named ProxyShell. Paths include: \HttpProxy\owa\auth\, \inetpub\wwwroot\aspnet_client\, and \HttpProxy\OAB\. Upon triage, the suspicious .aspx file will likely look obvious on the surface. inspect the contents for script code inside. Identify additional log sources, IIS included, to review source and other potential exploitation.


Detect Exchange Web Shell Help

To successfully implement this search you need to be ingesting information on process that include the name of the process responsible for the changes from your endpoints into the Endpoint datamodel in the Processes node and Filesystem node.


Open in Search