Mar 07 2021 04:32 AM
Mar 07 2021 04:32 AM
Server was patched ASAP on Wednesday but may have been to late
Running the Test-ProxyLogon.ps1 from github gave these results :
2021-03-06T09:31:03.800Z ServerInfo~<no value>.82a595b7c3182062c44a.d.requestbin.net/ecp/default.flt?
Out A/V is up to date and a full scan with that product and additional product showed no infections
How do I clean up and of the IIS / autodiscover changes ?
Mar 08 2021 02:37 AM
Mar 08 2021 04:40 AM
It looks like we never got any web shells installed
The MS list of suspected .aspx files were not found
Also no zip/7z files in program data
and ran a number of scanners to see if any payloads had been dropped
We're monitoring traffic to and from the server to unknown devices
this is a good resource from FireEye : https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft...
MS need to publish a more detailed document on detecting and removing the various pieces,
The Test-ProxyLogon.ps1 and other scripts from MS are ok but could provide more information
Mar 08 2021 05:38 AM
I think I'm in the same boat as you. No webshells, no suspicious aspx files and no 7z files.
Firstly I ran Test-ProxyLogon.ps1 and it found evidence of CVE-2021-26855 & CVE-2021-27065.
Then I ran BackendCookieMitigation.ps1 (already done the URL Rewrite a little while ago but this does a bit more so let it do it's thing).
I also ran the Microsoft Safety Scanner and it found evidence of Exploit:ASP/CVE-2021-27065.B!dha, it said it removed it and needed a reboot. I'm currently nearly 2hrs through a second pass and it hasn't found anything so far.
What other scanners did you run? Thanks for the heads up on the FireEye link, I'll give that a read. We have CrowdStrike Falcon installed on all machines and I was hoping it would have caught it in time. Seems like it didn't quite get there. I patched this Exchange 2019 server last Wednesday, when Microsoft sent out the emails warning us to fix it or face the consequences. Seems like my suspicious activity happened on 03/03/2021, meaning I patched it the day it happened.
Mar 08 2021 05:48 AM
Mar 08 2021 05:53 AM
Mar 08 2021 06:05 AM
Mar 08 2021 06:13 AM
Mar 08 2021 06:39 AM
Mar 08 2021 07:31 AM
Mar 08 2021 07:39 AM
Mar 08 2021 08:49 AM
Mar 08 2021 10:06 AM
Mine finished and it was clean. Guess I dodged the bullet... Ran a few other scripts that I found on GitHub. Looks like it was attempted but nothing stuck. The HTTP proxy logs just record the attempt if I understand, correct?
I had just locked down everything on our firewall after our migration a month back and put on the latest Malwarebytes and another AV.
Mar 08 2021 10:11 AM
Looks like you have been really lucky. I'm in the process of migrating all the remaining mailboxes to o365 (something we were going to do anyway, 39 left) and building a brand new server at the same time as we are hybrid and still need a physical box. Looking into going fully hosted next, one less thing for me to worry about.
The only port I have open to the world on the compromised server is 443, everything else runs through Mimecast, I thought we would be in a much better position than most, I guess I was wrong, despite patching as soon as the bulletin was released. You can't win them all I guess!
Jul 30 2021 01:26 AM
I don't know if you got this resolved. Had a similar issue and this link solved this.