Update 11/8/2022: We have now released November 2022 Security Updates for Exchange Server. Please install those (or newer) updates to address vulnerabilities mentioned in this post. Mitigations are n...
Updated Nov 08, 2022
Version 17.0
Blog Post
2 MIN READ
Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server
As far as detection of the vulnerability I can up with this powershell. I think it works but I'm not 100% sure. Maybe some peer review?
get-exchangeserver | ? {$_.name -like "*CASServerName*"} | %{Write-Host "On Server" $_.name;Invoke-Command -ComputerName $_.name -ScriptBlock {$Files = (Get-ChildItem -Recurse -Path C:\inetpub\logs\LogFiles\W3SVC1 -Filter "*.log").FullName;$Output = $files | %{Select-String -Path $_ -Pattern 'powershell.*autodiscover\.json.*\@.*200'};Write-Host $Output}}
Change the get-exchangeserver to match your needs.
Change the path to where ever your IIS logs are for the Default WebSite.
I didn't find any hits which is a good thing. I changed it to be wide using -Pattern 'autodiscover' and did find many hits as expected.
Comments please.