![]() ![]() Identifying Exchange Servers & Associated Security AlertsĮxchange servers can be challenging to identify in default log data however using data available in W3CIISLog, Exchange servers can be identified using predictable URI strings without relying on the hostname or site name. | project StartTime, EndTime, AttackerIP, AttackerUserAgent, SiteName, ShellLocation | summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated) by AttackerIP=cIP, AttackerUserAgent=csUserAgent, SiteName=sSiteName, ShellLocation=csUriStem, tostring(FileName) | extend splitUriStem = split(csUriStem, "/") | where csUriStem has_any(scriptExtensions) | project TimeGenerated, FileName, Directory | extend FileName = tostring(alertData.Name), Directory = tostring(alertData.Directory) | where alertData.Name has_any(scriptExtensions) ![]() This can be expanded to include more file types | extend alertData = parse_json(Entities) Script file extensions to match on, can be expanded for your environment In the below example, alerts containing ASP, ASPX, ASMX and ASAX files will be extracted these are web script files commonly used by Exchange servers.Īfter extracting relevant web shell alerts the query will join the alert information with the W3CIIS log, this allows the query to identify any clients that have accessed the potential shell file, allowing the potential attacker to be identified. A version of the query below is already available as an Azure Sentinel detection and can be found here. The query below extracts alerts from M365D where a web script file has been observed as part of the alert. Identifying the Attacker IP address from Microsoft 365 Defender alerts ![]() Information on collecting IIS logs using the Log Analytics agent can be found here. In the case that the application server is Microsoft Exchange the W3CIISLog can be used to enrich M365D alerts with potential attacker information. When dealing with remote attacks on web application servers, one of the best enrichment sources available are the web logs that have been generated. These alerts can be enriched in Azure Sentinel with new information from other log sources. An example of a web shell installation alert in the Azure Sentinel SecurityAlert table can be seen below. Security alerts and incidents generated by M365D can be written to the SecurityAlert table in Azure Sentinel by enabling the appropriate connector. Microsoft 365 Defender (M365D) detects web shell installation and execution activity. The below diagram provides a high-level overview of an attacker leveraging these vulnerabilities to install a web shell on an Exchange server. Our colleagues in Microsoft Defender Threat Intelligence have authored another blog that provides additional details on use of web shells in attacks taking advantage of the Exchange Server. MSRC has also provided guidance for responders, a one-click tool for remediation and automatic remediation is delivered through Microsoft Defender for Endpoint. ![]() Recent vulnerabilities in on-premises Microsoft Exchange servers have led to deployment of web shells by threat actors. More information on these vulnerabilities can be found in this MSRC blog , details on threat actor HAFNIUM using these vulnerabilities can be found in this MSTIC blog. The previous blog post analysed an attack against a SharePoint server, however, many of the techniques can also be applied to Exchange servers since it also uses IIS to host its web interfaces. T he techniques we discuss below have been adapted from the June 2020 blog post : Web shell threat hunting with Azure Sentinel and Microsoft Threat Protection. T hese hunting techniques can also be applied to web shell techniques targeting other web applications. In this blog post we will provide Microsoft Azure Sentinel customers with hunting queries to investigate possible on-premises Exchange S erver exploitation and identify additional attacker IOCs (Indicators of compromise) such as IP address and User Agent. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |