Exchange Report - ProxyShell

Remediation

Please note that some of these webshells are "hiding" themselves as reserved Windows namespaces (such as "COM1") and/or modifying permissions to make them inaccessible by normal methods. This prevents you from seeing the folder in Explorer or the Command-prompt without changing settings.

To remove this, you'll need to create a batch script with the following text in it:

set direct=c:\users\all users\com

takeown /f "%direct%" /a /r /d n
set direct=\\.\%direct%
icacls "%direct%" /remove:d system /t
icacls "%direct%" /remove:d Administrators /t
icacls "%direct%" /remove:d Users /t
icacls "%direct%" /grant:r system:f /t
icacls "%direct%" /grant:r "CREATOR OWNER":f /t
rd "%direct%" /s /q

You'll need run the batch file for each Malicious Webshell Path you have in your Huntress Incident Report, changing the first line every time (and only the first line). For the example Incident Report below would have the first line of:  set direct=c:\ProgramData\COM\oddwE 

 Once the batch script is created, it will need to be run as "NT AUTHORITY\SYSTEM", so you can either use psexec to runas the batch file as SYSTEM, or start up Task Scheduler. 
 
For task scheduler: create a new scheduled task, set User or Group to be "NT AUTHORITY\SYSTEM", run with highest privileges, trigger doesn't matter what you set, actions will be the full path and file name like c:\intel\huntress.bat, and the rest of the settings don't matter in this case. Once it's all setup you can right click on the new task and run it. 

Please note that these new vulnerabilities were identified after the "ProxyLogon" vulnerabilities so more recent patches are required. The patches needed are listed here.