Techniques
Sample rules
Exchange PowerShell Abuse via SSRF
- source: splunk
- technicques:
- T1190
- T1133
Description
This analytic identifies suspicious behavior related to ProxyShell against on-premise Microsoft Exchange servers. This analytic has been replaced by GUID d436f9e7-0ee7-4a47-864b-6dea2c4e2752 which utilizes the Web Datamodel. Modification of this analytic is requried to ensure fields are mapped accordingly.
A suspicious event will have PowerShell
, the method POST
and autodiscover.json
. This is indicative of accessing PowerShell on the back end of Exchange with SSRF.
An event will look similar to POST /autodiscover/autodiscover.json a=dsxvu@fnsso.flq/powershell/?X-Rps-CAT=VgEAVAdXaW5kb3d...
(abbreviated)
Review the source attempting to perform this activity against your environment. In addition, review PowerShell logs and access recently granted to Exchange roles.
Detection logic
`exchange` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
| stats count min(_time) as firstTime max(_time) as lastTime by dest, cs_uri_query, cs_method, c_uri
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `exchange_powershell_abuse_via_ssrf_filter`