exchange_webshell_detection
Cyber-Defence
exchange_webshell_detection | Cyber-Defence | |
---|---|---|
8 | 6 | |
83 | 471 | |
- | 0.0% | |
4.4 | 1.8 | |
about 3 years ago | over 2 years ago | |
PowerShell | Python | |
- | - |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
exchange_webshell_detection
- CERT Latvia False Positive on their Detect Webshells Script
- CERT Latvia False Positiver on their Detect Webshells Script
- Windows defender quarantined Microsoft Exchange exploit attempt immediately & reset virtual oab directory. Am i still compromised?
- cert-lv/exchange_webshell_detection - Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
-
HAFNIUM - Edited Files and File Left behind and other inquiries
Here's a script I found on bleepingcomputer that searches for several files. https://github.com/cert-lv/exchange_webshell_detection
- Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
-
At Least 30k U.S. Organizations Newly Hacked via Holes in MS’s Email Software
There's a powershell script to check your server here: https://github.com/cert-lv/exchange_webshell_detection
Cyber-Defence
- Microsoft Exchange file lists and hashes and modified / added file checking tool
- Complete file lists and hash sets for Microsoft Exchange 2013 CU23, 2016 CU19 and 2019 RTM to CU8 to help with discovery of modified or unexpected files post compromise
- At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
-
At Least 30k U.S. Organizations Newly Hacked via Holes in MS’s Email Software
Unfortunately a few comments here have honed in on one contrived example of why I think this strategy is broken. To give another contrived example: I personally had a logon to this portal, but it broke last year when they integrated logons with Azure and it took me like three months to get it fixed.
The fact a critical security update can't just be downloaded is bad. I don't care if someone in sales thinks every licensed user should probably be able to get it. Here NCC produced a list of "valid" files to help people scan for not legit files. Except they don't have Exchange 2019 CU 8 because they couldn't get it:
https://github.com/nccgroup/Cyber-Defence/tree/master/Intell...
Microsoft has a hard limit (5?) on the number of individual accounts you can grant access and in a big enough org it's still plausible they'll be scattered across the world and you'll find none of them available the exact hour you need this update.
What are some alternatives?
CSS-Exchange - Exchange Server support tools and scripts
PowerZure - PowerShell framework to assess Azure security
Get-ExchangeEnvironmentReport - This script creates an HTML report showing the following information about an Exchange 2019, 2016, 2013, 2010, and, to a lesser extent, 2007 and 2003 environment.
Encrypt-Delete-Test - Really can protect from ransomware encryption?