Alert Pack: Possible Exchange Server RCE (ProxyNotShell)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack is part of the response resources delivered by Devo to quickly detect the potential execution of remote code on an Exchange Server. On September 29, 2022, cybersecurity organization GTSC published a report outlining attacks they have seen in the wild targeting as-yet unpatched vulnerabilities in Microsoft Exchange. When successfully exploited, this combination of vulnerabilities results in an authenticated Remote Code Execution (RCE) attack.

More information here.

SecOpsProxyNotShellHashIoc: This alert searches through the logs from EDR techs looking for post-exploitation process and files based on hashes values.

SecOpsProxyNotShell: This alert searches through the logs for GET requests sent to this URL: autodiscover/autodiscover.json?@evil.com/<Exchange-backend-endpoint>&Email=autodiscover/autodiscover.json%3f@evil.com\r\n

SecOpsProxyNotShellIpIoc: This alert searches through the logs from firewall techs trying to detect connections to or from IP addresses.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

edr.all.threats
web.iis.accessW3cAll ^{learn more}
firewall.all.traffic

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.