proxyshell.yml

name: ProxyShell
id: 413bb68e-04e2-11ec-a835-acde48001122
version: 1
date: '2021-08-24'
author: Michael Haag, Teoderick Contreras, Mauricio Velazco, Splunk
type: batch
description: ProxyShell is a chain of exploits targeting on-premise Microsoft Exchange
  Server - CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.
narrative: "During Pwn2Own April 2021, a security researcher demonstrated an attack \
  \ chain targeting on-premise Microsoft Exchange Server. August 5th, the same researcher \
  \ publicly released further details and demonstrated the attack chain. CVE-2021-34473 \
  \ Pre-auth path confusion leads to ACL Bypass (Patched in April by KB5001779) \
  \ CVE-2021-34523 - Elevation of privilege on Exchange PowerShell backend \
  (Patched in April by KB5001779) . CVE-2021-31207 - Post-auth Arbitrary-File-Write \
  \ leads to RCE (Patched in May by KB5003435) Upon successful exploitation, \
  \ the remote attacker will have SYSTEM privileges on the Exchange Server. In addition \ 
  \ to remote access/execution, the adversary may be able to run Exchange PowerShell \
  \ Cmdlets to perform further actions."
references:
- https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://www.youtube.com/watch?v=FC6iHw258RI
- https://www.huntress.com/blog/rapid-response-microsoft-exchange-servers-still-vulnerable-to-proxyshell-exploit#what-should-you-do
- https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Microsoft-Exchange-Server.pdf
tags:
  analytic_story: ProxyShell
  category:
  - Adversary Tactics
  - Ransomware
  product:
  - Splunk Enterprise
  - Splunk Enterprise Security
  - Splunk Cloud
  usecase: Advanced Threat Detection