Group Policy is a powerful tool that attackers are using to deploy their ransomware across a network. This blog post will cover some tips on how we can hunt for this type of activity in the event logs, and so on. We will be relying on the default Windows event logs that are straight out of the box. In order to deploy a GPO and push it to an entire Windows network. It typically requires having Domain Admin or equivalent rights in the first place. Let’s cover a real example. BleepingComputers reported last year in 2021 that LockBit was using Group Policies to infect an entire Windows network. Du ..read more

ProxyShell is an attack chain that exploits three known vulnerabilities in On-Premises Exchange servers: CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. ProxyShell allows a remote unauthenticated attacker to execute arbitrary commands on an unpatched Exchange Server through port 443. The bug relies in the Client Access Service (CAS) component in Exchange and was discovered by a security researcher in 2021. The presentation of the security researcher can be found here: https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-ProxyLogon-Is-Just-The-Tip-Of-The-Iceberg-A-New-Attack-Surface-On-Micr ..read more

On-Premises Exchange servers are valuable targets for attackers, since it contains critical data and often has wide permissions within AD. Over the years, we have seen different exploits for Microsoft Exchange that could lead to a full compromise on the Exchange farm, as well as a full compromise on Active Directory. Today I would like to do a recap on the well-known ProxyLogon attack. ProxyLogon is the name that was given for CVE-2021-26855. This is a critical vulnerability on Microsoft Exchange servers that allows an attacker to bypass Exchange authentication by forcing a SSRF request, which ..read more

On-Premises Exchange servers have always been a different beast when we compare it to other Microsoft products like SQL, SharePoint, and others. Exchange in general has been notorious for having wide permissions within AD. In the past, this has been described as ‘design’. Providing Exchange administrators, the flexibility to manage attributes on Exchange Server objects that are consistent with their role as an Exchange administrator is how Microsoft has described it in the past. Microsoft has evaluated the rights that are granted to servers that are running Exchange Server and to Exchange admi ..read more

Microsoft Exchange Server team has released a security update for On-Premises Exchange Servers. The October 2022, security updates are available for the following affected versions: Exchange Server 2013 CU23 Exchange Server 2016 CU22 and CU23 Exchange Server 2019 CU11 and CU12 I decided to create this blog post to summarize a bit on what this new security update would solve and what the CVEs are. I will also explain how we can check whether our Exchange server is affected or not and will walk you through the process of patching these servers. Exchange servers are critical servers that are of ..read more

This blog post will be targeted for organizations that are still operating with On-Premises Exchange servers. Exchange has always been an interesting piece, since it’s so tightened within AD. This can introduce security challenges as well. In this blog post, we will cover how we can implement the Exchange Split Permission Model to reduce the chance of an Exchange compromise leading to a full AD compromise. First, we will be starting with covering a well-known attack path. After we have done that, we’ll explain the difference between Shared Permissions Model and Split Permissions Model, and wha ..read more

A Webshell is a malicious script that an attacker can drop on a webserver to launch additional attacks and establish persistence. Before a Webshell is dropped, it is usually the case that an attacker has successfully obtained SYSTEM level access on the targeted server in order to upload the Webshell. A Webshell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. Over the years, we have seen attackers leveraging Webshells to establish persistence on servers with the likes of Exchange or IIS for example. Here we have a few examples of AP ..read more

This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR. For each log, I’ll try to explain what we can achieve with it. Not all logs are useful, so I’ve only picked the one’s that I’m aware of and believe are useful. IIS logs One of the useful logs on an Exchange server are the IIS logs. From hunting down ProxyLogon to Webshell activities. IIS logs can play a huge role in finding these suspicious activities. IIS logs are by default stored at the following location: C:\inetpub\logs\LogFiles and come with two f ..read more

CVE-2022-41040 is a SSRF vulnerability that recently came out, which impacts On-Premises Exchange servers. CVE-2022-41040 can enable an authenticated attacker to remotely trigger this exploit. However, authenticated access to the vulnerable Exchange Server is necessary to successfully exploit this. By the time of writing this blog post, Microsoft shared a temporary mitigation guidance that can be applied to harden Exchange servers. See: https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/ This is the current list of kn ..read more

This will be a straight forwarded blog post where I’m going to explain on how we can upgrade On-Premises Exchange servers CU level. Upgrading the CU level in general has been a challenging task since it’s not the same as traditional Windows updates. If you are looking for guidance on how to upgrade Exchange servers that don’t have the latest CU level installed. I will be sharing my methodology on how we can do this. This requires careful planning and a solid change management process before we can upgrade the CU level of an Exchange server. During this example, we will be using Exchange 2016 ..read more