Exchange Server backdoor investigation tools

&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2529 " id&equals;"quads-ad2529" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;<h2>The Story<&sol;h2>&NewLine;<p>After the disastrous exploit that was found in Microsoft Exchange Servers lots of corporations started immediately patching their servers with the latest Cumulative update and Security patches&period; The question is would those patches be enough if the server is already hacked or have a backdoor installed already&quest;<&sol;p>&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2526 " id&equals;"quads-ad2526" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2522 " id&equals;"quads-ad2522" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2524 " id&equals;"quads-ad2524" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;<p><a href&equals;"https&colon;&sol;&sol;www&period;moh10ly&period;com&sol;wp-content&sol;uploads&sol;2021&sol;03&sol;image&period;png"><img style&equals;"margin&colon; 0px&semi; display&colon; inline&semi; background-image&colon; none&semi;" title&equals;"image" src&equals;"https&colon;&sol;&sol;www&period;moh10ly&period;com&sol;wp-content&sol;uploads&sol;2021&sol;03&sol;image&lowbar;thumb&period;png" alt&equals;"image" width&equals;"1028" height&equals;"680" border&equals;"0" &sol;><&sol;a> &NewLine;&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2523 " id&equals;"quads-ad2523" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine; &NewLine;<&sol;p>&NewLine;<h2>What are those 0-day exploits &quest;<&sol;h2>&NewLine;<p>The vulnerabilities recently being exploited were CVE-2021-26855&comma; CVE-2021-26857&comma; CVE-2021-26858&comma; and CVE-2021-27065 which are part of alleged &OpenCurlyDoubleQuote;State-sponsored Chinese group” according to Microsoft&period;<&sol;p>&NewLine;<p><strong>Let’s get into details of those exploits one by one&colon;<&sol;strong><&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;msrc&period;microsoft&period;com&sol;update-guide&sol;vulnerability&sol;CVE-2021-26855">CVE-2021-26855<&sol;a> is a server-side request forgery &lpar;SSRF&rpar; vulnerability in Exchange which allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;msrc&period;microsoft&period;com&sol;update-guide&sol;vulnerability&sol;CVE-2021-26857">CVE-2021-26857<&sol;a> is an insecure deserialization vulnerability in the Unified Messaging service&period; Insecure deserialization is where untrusted user-controllable data is deserialized by a program&period; Exploiting this vulnerability gave HAFNIUM the ability to run code as SYSTEM on the Exchange server&period; This requires administrator permission or another vulnerability to exploit&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;msrc&period;microsoft&period;com&sol;update-guide&sol;vulnerability&sol;CVE-2021-26858">CVE-2021-26858<&sol;a> is a post-authentication arbitrary file write vulnerability in Exchange&period; If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server&period; They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;msrc&period;microsoft&period;com&sol;update-guide&sol;vulnerability&sol;CVE-2021-27065">CVE-2021-27065<&sol;a> is a post-authentication arbitrary file write vulnerability in Exchange&period; If HAFNIUM could authenticate with the Exchange server then they could use this vulnerability to write a file to any path on the server&period; They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials&period;<&sol;p>&NewLine;<h2>How to proceed &quest;<&sol;h2>&NewLine;<p>Microsoft released couple of tools that could diagnose your servers and check if you already have been infected with a backdoor or any of these nasty malware and also remove those infected files or clean them and ask you for a restart if it’s required&period;<&sol;p>&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2525 " id&equals;"quads-ad2525" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;<p>Tools&colon;<&sol;p>&NewLine;<ol>&NewLine;<li>MSERT &lpar;Microsoft Safety Scanner&rpar; detects web shells&comma; <a href&equals;"https&colon;&sol;&sol;definitionupdates&period;microsoft&period;com&sol;download&sol;DefinitionUpdates&sol;VersionedSignatures&sol;AM&sol;1&period;333&period;160&period;0&sol;amd64&sol;MSERT&period;exe" target&equals;"&lowbar;blank" rel&equals;"noopener">Download here<&sol;a> &period;<&sol;li>&NewLine;<li>Health Checker &lpar;Scans your server for any vulnerabilities and whether you have updated Server CU and installed patches&rpar;&period; <a href&equals;"https&colon;&sol;&sol;mega&period;nz&sol;folder&sol;jlUh2CYD&num;BKUDo2i6Jsbc-XGI0uRwFA" target&equals;"&lowbar;blank" rel&equals;"noopener">Download here<&sol;a><&sol;li>&NewLine;<li>Exchange WebShell Detection &lpar;A simple PowerShell that is fast and checks if your IIS or Exchange directory has been exploited&rpar;&period; <a href&equals;"https&colon;&sol;&sol;mega&period;nz&sol;folder&sol;jlUh2CYD&num;BKUDo2i6Jsbc-XGI0uRwFA" target&equals;"&lowbar;blank" rel&equals;"noopener">Download here<&sol;a><&sol;li>&NewLine;<li>Scan your exchange server for proxy logon&colon;<br &sol;>&NewLine;<a href&equals;"https&colon;&sol;&sol;github&period;com&sol;microsoft&sol;CSS-Exchange&sol;tree&sol;main&sol;Security">https&colon;&sol;&sol;github&period;com&sol;microsoft&sol;CSS-Exchange&sol;tree&sol;main&sol;Security<&sol;a><&sol;li>&NewLine;<li>Microsoft very recently created a mitigation tool for Exchange on-premises that would rewrite url for the infected servers and recover the files that were changed&period; You can download the tools from this github link&period;&NewLine;<p><a href&equals;"&lowbar;wp&lowbar;link&lowbar;placeholder" data-wplink-edit&equals;"true">https&colon;&sol;&sol;github&period;com&sol;microsoft&sol;CSS-Exchange&sol;tree&sol;main&sol;Security<&sol;a><&sol;p>&NewLine;<p>Copy the Test-ProxyLogon code into Notepad<br &sol;>&NewLine;Save As &&num;8220&semi;Test-ProxyLogon&period;ps1&&num;8221&semi; with the quotes in your C&colon;&bsol;Temp folder<br &sol;>&NewLine;Run in Exchange Management Shell&colon; &period;&bsol;Test-ProxyLogon&period;ps1 -OutPath C&colon;&bsol;Temp<&sol;li>&NewLine;<&sol;ol>&NewLine;<p><img class&equals;"alignnone size-full wp-image-5804" src&equals;"https&colon;&sol;&sol;www&period;moh10ly&period;com&sol;wp-content&sol;uploads&sol;2021&sol;03&sol;image2&period;jpg" alt&equals;"" width&equals;"668" height&equals;"231" &sol;><&sol;p>&NewLine;<h2>Scan Result<&sol;h2>&NewLine;<p>Scan result should show you the following if your servers has been exploited already&period;<&sol;p>&NewLine;<p>This will remove the infections and asks for a restart&period;<&sol;p>&NewLine;<p><a href&equals;"https&colon;&sol;&sol;www&period;moh10ly&period;com&sol;wp-content&sol;uploads&sol;2021&sol;03&sol;clip&lowbar;image001&period;png"><img style&equals;"display&colon; inline&semi; background-image&colon; none&semi;" title&equals;"clip&lowbar;image001" src&equals;"https&colon;&sol;&sol;www&period;moh10ly&period;com&sol;wp-content&sol;uploads&sol;2021&sol;03&sol;clip&lowbar;image001&lowbar;thumb&period;png" alt&equals;"clip&lowbar;image001" width&equals;"472" height&equals;"204" border&equals;"0" &sol;><&sol;a><&sol;p>&NewLine;<h2>References&colon;<&sol;h2>&NewLine;<p><a title&equals;"https&colon;&sol;&sol;www&period;microsoft&period;com&sol;security&sol;blog&sol;2021&sol;03&sol;02&sol;hafnium-targeting-exchange-servers&sol;" href&equals;"https&colon;&sol;&sol;www&period;microsoft&period;com&sol;security&sol;blog&sol;2021&sol;03&sol;02&sol;hafnium-targeting-exchange-servers&sol;">https&colon;&sol;&sol;www&period;microsoft&period;com&sol;security&sol;blog&sol;2021&sol;03&sol;02&sol;hafnium-targeting-exchange-servers&sol;<&sol;a><&sol;p>&NewLine;<p><a title&equals;"https&colon;&sol;&sol;www&period;bleepingcomputer&period;com&sol;news&sol;security&sol;microsoft-exchange-updates-can-install-without-fixing-vulnerabilities&sol;" href&equals;"https&colon;&sol;&sol;www&period;bleepingcomputer&period;com&sol;news&sol;security&sol;microsoft-exchange-updates-can-install-without-fixing-vulnerabilities&sol;">https&colon;&sol;&sol;www&period;bleepingcomputer&period;com&sol;news&sol;security&sol;microsoft-exchange-updates-can-install-without-fixing-vulnerabilities&sol;<&sol;a><&sol;p>&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2528 " id&equals;"quads-ad2528" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;<p><a title&equals;"https&colon;&sol;&sol;github&period;com&sol;dpaulson45&sol;HealthChecker&quest;mkt&lowbar;tok&equals;eyJpIjoiTURRMk5HRTFaV1V6TkRrMCIsInQiOiJcL3ZOTkRUVzdXdkJmTm5ibUIzTExKTDVxXC9ObFAxTmZLanFRZ0xpcDkxMW5raVE0dlRwV2FhVFFmWlVUVFZaZUdFM1NlcEFNTEZ6dTh5aWlqcVBpV3J2R2IxbGJxMmNUZ1ppYjJyZklnMjZFZngrM2tBUnNsM1JKcHJsSU1ib3BTIn0&percnt;3D&num;download" href&equals;"https&colon;&sol;&sol;github&period;com&sol;dpaulson45&sol;HealthChecker&quest;mkt&lowbar;tok&equals;eyJpIjoiTURRMk5HRTFaV1V6TkRrMCIsInQiOiJcL3ZOTkRUVzdXdkJmTm5ibUIzTExKTDVxXC9ObFAxTmZLanFRZ0xpcDkxMW5raVE0dlRwV2FhVFFmWlVUVFZaZUdFM1NlcEFNTEZ6dTh5aWlqcVBpV3J2R2IxbGJxMmNUZ1ppYjJyZklnMjZFZngrM2tBUnNsM1JKcHJsSU1ib3BTIn0&percnt;3D&num;download">https&colon;&sol;&sol;github&period;com&sol;dpaulson45&sol;HealthChecker&quest;mkt&lowbar;tok&equals;eyJpIjoiTURRMk5HRTFaV1V6TkRrMCIsInQiOiJcL3ZOTkRUVzdXdkJmTm5ibUIzTExKTDVxXC9ObFAxTmZLanFRZ0xpcDkxMW5raVE0dlRwV2FhVFFmWlVUVFZaZUdFM1NlcEFNTEZ6dTh5aWlqcVBpV3J2R2IxbGJxMmNUZ1ppYjJyZklnMjZFZngrM2tBUnNsM1JKcHJsSU1ib3BTIn0&percnt;3D&num;download<&sol;a><&sol;p>&NewLine;&NewLine;<&excl;-- WP QUADS Content Ad Plugin v&period; 2&period;0&period;92 -->&NewLine;<div class&equals;"quads-location quads-ad2530 " id&equals;"quads-ad2530" style&equals;"float&colon;none&semi;margin&colon;0px 3px 3px 3px&semi;padding&colon;0px 0px 0px 0px&semi;" data-lazydelay&equals;"0">&NewLine;&NewLine;<&sol;div>&NewLine;&NewLine;