Techniques
Sample rules
Exchange PowerShell Abuse via SSRF
- source: splunk
- technicques:
- T1190
- T1133
Description
This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. Modification of this analytic is requried to ensure fields are mapped accordingly.
A suspicious event will have PowerShell, the method POST and autodiscover.json. This is indicative of accessing PowerShell on the back end of Exchange with SSRF.
An event will look similar to POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d... (abbreviated)
Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.
Detection logic
`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
| stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `exchange_powershell_abuse_via_ssrf_filter`