Note: this post is getting frequent updates; please keep checking back. Last update: 3/19/2021
Microsoft has released a set of out of band security updates for vulnerabilities for the following ver...
Updated Mar 19, 2021
Version 44.0
Blog Post
Nino_Bilic Thanks Nino. I saw that and just ran it this morning. Came back clean. So I feel based on the information we have up to this point we were very lucky. Do you think it can be said with reasonable confidence that if all you found were Autodiscover log entries and MSERT did not find anything, that there is a high likelihood you were just probed?
I also have a question I hope someone can answer: the autodiscover entries correspond to a POST in the IIS logs to /ecp/y.js. This file doesn't exist on the server and I haven't been able to find a good explanation of what is going on here in the attack. Is the POST request sent to this file what contains the commands to perform authentication bypass? Or is it what is performing the autodiscover request? Is it even a real file? Does it matter if it doesn't actually exist?
Sorry I don't understand how this works. If anyone could shed some light please!