5 min read

All The Proxy Not Shells

Analysis of ProxyNotShell, ProxyShell, and related Exchange vulnerabilities - understanding the attack chains and building comprehensive detection coverage.

exchange proxynotshell proxyshell ssrf rce detection splunk

Originally published on the Splunk Security Blog
Read the full article: All The Proxy Not Shells

The Exchange Vulnerability Timeline

Microsoft Exchange has been a goldmine for attackers:

VulnerabilityCVEsImpact
ProxyLogonCVE-2021-26855, 26857, 26858, 27065Pre-auth RCE
ProxyShellCVE-2021-34473, 34523, 31207Pre-auth RCE
ProxyNotShellCVE-2022-41040, 41082Auth RCE

ProxyNotShell Deep Dive

CVE-2022-41040: SSRF

Server-Side Request Forgery in Autodiscover.

CVE-2022-41082: RCE

Remote code execution via PowerShell Remoting.

Attack Chain

  1. Authenticate - Valid credentials required (unlike ProxyShell)
  2. SSRF - Access backend services via Autodiscover
  3. RCE - Execute PowerShell on Exchange server

Exploitation Pattern

POST /autodiscover/autodiscover.json?@evil.com/owa/&Email=autodiscover/autodiscover.json%3F@evil.com

The @ forces Exchange to access internal URLs.

Detection Strategies

Autodiscover SSRF Attempts

index=iis sourcetype=iis cs_uri_stem="*autodiscover*" 
  (cs_uri_query="*@*" OR cs_uri_query="*Email=*")
| table _time, c_ip, cs_uri_stem, cs_uri_query, sc_status

PowerShell Remoting on Exchange

index=sysmon EventCode=1 
  ParentImage="*\\w3wp.exe"
  Image="*\\wsmprovhost.exe"
| table _time, Computer, User, CommandLine

Web Shell Indicators

index=sysmon EventCode=11 
  TargetFilename="*\\inetpub\\wwwroot\\aspnet_client\\*"
  TargetFilename="*.aspx"
| table _time, Computer, TargetFilename

Suspicious Exchange Child Processes

index=sysmon EventCode=1 
  ParentImage="*\\w3wp.exe"
  Image IN ("*\\cmd.exe", "*\\powershell.exe", "*\\certutil.exe")
| table _time, Computer, User, Image, CommandLine

Mitigation

  • Patch immediately
  • URL Rewrite rules (temporary)
  • Disable remote PowerShell for non-admins
  • Monitor for exploitation attempts
  • Consider Exchange Online

Timeline of Mass Exploitation

  • September 2022: Zero-day exploitation begins
  • September 29: Microsoft confirms active exploitation
  • October 2022: Widespread scanning
  • November 8: Patches released

Read the full analysis: All The Proxy Not Shells

Related Modules

Active

Atomics on a Friday

Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.

youtube atomic-red-team detection education +1
View Module → GitHub
Active

Bootloaders.io

A curated list of known malicious bootloaders for various operating systems. Track and catalog bootloader threats with detection rules and hash prevention.

bootloader bootkit detection defense +1
View Module → GitHub