search

cert-lv / exchange_webshell_detection

Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)
98 stars 20 forks source link

Found .aspx file cannot be read #4

Closed LThibx closed 3 years ago

LThibx commented 3 years ago

I downloaded and ran the detect_webshells.ps1 script. I received the following: Select-String : The file C:\Program Files\Microsoft\Exchange Server\V15\Frontend\HttpProxy\owa\auth\281a6a4286.aspx cannot be read: Access to the path 'C:\Program Files\Microsoft\Exchange Server\V15\Frontend\HttpProxy\owa\auth\281a6a4286.aspx' is denied. At D:\shared\Software\PowerShell\Scripts\Detect-WebShells\detect_webshells.ps1:140 char:38

I have reviewed the contents of that directory and also checked for hidden files, and have found nothing related to the 281a6a4286.aspx file. Mode LastWriteTime Length Name

d----- 12/12/2020 11:38 AM 15.0.1497
d----- 12/12/2020 11:39 AM Current
-a---- 5/29/2019 2:02 AM 7716 errorFE.aspx
-a---- 5/29/2019 2:02 AM 7200 ExpiredPassword.aspx
-a---- 5/29/2019 2:02 AM 110 getidtoken.htm
-a---- 5/29/2019 2:02 AM 5254 logoff.aspx
-a---- 5/29/2019 2:02 AM 15766 logon.aspx
-a---- 5/29/2019 2:02 AM 1897 OutlookCN.aspx.LT
-a---- 3/4/2021 4:42 AM 2333 OutlookEN.aspx.LT
-a---- 5/29/2019 2:02 AM 332 RedirSuiteServiceProxy.aspx
-a---- 5/29/2019 2:02 AM 4475 signout.aspx
-a---- 5/29/2019 2:02 AM 4694 SvmFeedback.aspx

Hoping you can shed some light on the issue. Lonnie

dr3wy commented 3 years ago

Hi Lonnie,

I'm afraid your server is most probably infected. You should preserve forensic evidence such as memory dump and turn it off or at least quarantine it from the network. Get Digital Forensics / Incident Response team to look at it (and at the rest of your AD!), if possible.

Exchange runs with SYSTEM level privileges, meaning code executed from it can create files that you won't be able to read as an Administrator. It can also install rootkits to manipulate what you're seeing, fooling you into believing that certain processes and files do not exist. Not sure whether that's the case or maybe the file just got deleted right when the script was trying to read it (which would be suspicious anyway), but in any case this file wasn't supposed to exist at that path and the script wouldn't invent it.

Btw, look manually at the file OutlookEN.aspx in the same directory. I bet it's a webshell, we're seeing a lot of those.

LThibx commented 3 years ago

Hi Andrew, Yea, this server did get hit, that was evident by those Outlook*.aspx files that I renamed, keeping them for (evidence and reference), also by reports other tools (HealthChecker, Test-Hafnium, Test-Proxylogon, etc) and the IOCs they have revealed. That is why I am continuing to search for other IOCs that these tools may not have identified.

I did just run your script again and did not get the warning I previously reported. So maybe you were right about it possibly being deleted right when the script was running initially (I am really hoping it that is not the case, cause that would indicate activity). Machine was patched. Taking it down not an option at this point. Just will have to continue to run interference and hope that it is not going deeper.

I am sure you are busy with these issues, so I won't take up any more of your time. Thanks for the feedback, and mostly, thanks for putting out scripts like this to help others.
I will hit close with comment as there is no issue here. Thanks again. Much appreciated. Lonnie

dr3wy commented 3 years ago

Hi Lonnie,

Trying "to run interference" might be a losing battle, but may I suggest following actions:

  1. dump MFT (Master File Table) from the C: disk (assuming it's NTFS), e.g. with gomft
  2. parse that file with MFTECmd to convert it to csv/json or just eyeball visually through MFTExplorer (both projects by Eric Zimmerman: https://ericzimmerman.github.io)
  3. check out recently created / modified files (not just aspx), e.g. you should see the files you renamed/removed and maybe even that strangely named webshell
  4. you can go on to correlate times you see in MFT with web logs and vice versa

Also, in order for webshell to get executed, there has to be request to IIS, so you can look up names/paths in IIS logs.

As an aside, Windows Server provides ample means for monitoring, e.g. look into Sysmon. If configured properly you can see all Powershell commands that get executed which will catch most of the attacks seen in the wild right now.

LThibx commented 3 years ago
Andrew, That is a lot of valuable information. I will run thru those tasks shortly.
Oh & BTW...that I run Sophos IX on these machines and I saw in my console where Sophos detected and cleaned up that .aspx file mentioned in my first. Time would seem to be around when I was running your script (I think). So that may explain my original reason for posting here:  		 Mar 10, 2021 8:37 AM Malware cleaned up: 'Troj/WShell-A' at 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\281a6a4286.aspx'  
    Mar 10, 2021 8:37 AM Malware detected: 'Troj/WShell-A' at 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\281a6a4286.aspx'

Thanks much for your help!