Techniques
Sample rules
Exchange PowerShell Abuse via SSRF
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to autodiscover.json containing PowerShell in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.
Detection logic
`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
| stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `exchange_powershell_abuse_via_ssrf_filter`