detection for proxyshell MSF module

2024-11-06 17:35:19 +00:00 · 2021-08-31 12:51:16 +02:00 · 2021-08-31 12:51:16 +02:00 · 3155f7172d
commit 3155f7172d
parent abf40ecfbc
1 changed files with 23 additions and 0 deletions
--- a/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
+++ b/rules/windows/other/win_exchange_proxyshell_remove_mailbox_export.yml
@ -0,0 +1,23 @@
+title: Remove Exported Mailbox from Exchange Webserver
+id: 09570ae5-889e-43ea-aac0-0e1221fb3d95
+status: experimental
+description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit
+references:
+    - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430
+author: Christian Burkard
+date: 2021/08/27
+logsource:        
+    service: msexchange-management
+    product: windows
+detection:
+    command: 
+        - 'Remove-MailboxExportRequest'
+        - ' -Identity '
+        - ' -Confirm "False"'
+    condition: all of command
+falsepositives:
+    - unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1070