Team: Huntress EDR
Product: Exchange Patch Management, ProxyShell
Environment: Exchange Server
Summary: Exchange servers are highly targeted and often prone to attacks like ProxyShell. We recommend regular patching to ensure vulnerabilities are addressed as soon as possible.
Recently security researchers published details about new vulnerabilities found in Exchange Server. These new vulnerabilities, referred to as "ProxyShell", are different from the "ProxyLogon" vulnerabilities from March 2021.
Please follow our blog for the latest information: Huntress Blog: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit
It's critical that you immediately patch any Exchange servers you may have with the appropriate Exchange Server patches released by Microsoft.
Please reference the following resources for more information on ProxyShell:
- Microsoft: Released: July 2021 Exchange Server Security Updates
- Bleeping Computer: Microsoft Exchange servers are getting hacked via ProxyShell exploits
- TechTarget: Many Exchange servers still vulnerable to ProxyLogon, ProxyShell
Remediation
Please note that some of these webshells are "hiding" themselves as reserved Windows namespaces (such as "COM1") and/or modifying permissions to make them inaccessible by normal methods. This prevents you from seeing the folder in Explorer or the Command-prompt without changing settings.
To remove this, you'll need to create a batch script with the following text in it:
set direct=c:\users\all users\com
takeown /f "%direct%" /a /r /d n
set direct=\\.\%direct%
icacls "%direct%" /remove:d system /t
icacls "%direct%" /remove:d Administrators /t
icacls "%direct%" /remove:d Users /t
icacls "%direct%" /grant:r system:f /t
icacls "%direct%" /grant:r "CREATOR OWNER":f /t
rd "%direct%" /s /q
You'll need run the batch file for each Malicious Webshell Path you have in your Huntress Incident Report, changing the first line every time (and only the first line). For the example Incident Report below would have the first line of: set direct=c:\ProgramData\COM\oddwE
Once the batch script is created, it will need to be run as "NT AUTHORITY\SYSTEM", so you can either use psexec to runas the batch file as SYSTEM, or start up Task Scheduler.
For task scheduler: create a new scheduled task, set User or Group to be "NT AUTHORITY\SYSTEM", run with highest privileges, trigger doesn't matter what you set, actions will be the full path and file name like c:\intel\huntress.bat, and the rest of the settings don't matter in this case. Once it's all setup you can right click on the new task and run it.
Please note that these new vulnerabilities were identified after the "ProxyLogon" vulnerabilities so more recent patches are required. The patches needed are listed here.
Comments
0 comments
Please sign in to leave a comment.