A Guide to Detecting Microsoft Exchange Zero-Day Exploits

TL;DR

  • First and foremost, apply patches to the Exchange infrastructure.
  • Assume compromise. It’s been reported that the attackers launched a massive compromise attack against 60,000+ Exchange Servers before patches became available, and many other attackers are actively looking for exploited Exchange servers.
  • Look for AI Engine events involving your Exchange infrastructure (Host Names, IPs, Privileged Users and Service Accounts) starting January 5th, 2021 to the present.
  • Use the Microsoft Indicator of Compromise (IOC) scanning tool on recommended systems.
  • Review NextGen Firewall, Intrusion Detection Systems (IDS), EDR, and AV logs involving your Exchange infrastructure from January 5th to the present.
  • We have curated a list of IOCs you can add into lists for threat hunts on our GitHub page here. You may also want to visit our previous blog titled, “How to Detect and Search for SolarWinds IOCs in LogRhythm” to learn how to perform threat hunts using IOC lists here.

A threat actor group known as Hafnium by Microsoft have been tied to compromising Microsoft Exchange servers with several zero-day vulnerabilities. It’s likely that if you have an internet-facing Microsoft Exchange Server, it was compromised due to the haphazard attacks launched before Microsoft released the Exchange patches. The primary attack involved deploying web shells, giving the attacker access to the Exchange Server. A compromised Exchange Server allows attackers to move laterally and unleash further attacks like ransomware.

On March 2nd, 2021, Volexity published “Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities.” The blog listed the CVEs and details of the attacks adversaries were leveraging to compromise email accounts, gain persistence within an organization, and move laterally across an organization. The vulnerabilities in the on-premise Exchange Server have existed for a long time. For example, according to Volexity, the earliest attacks against CVE-2021-26855, for example, occurred on January 3rd, 2021.

Since the attack and vulnerability have gone public, an automated method to compromise as many Exchange Servers as possible before administrators can patch against the vulnerabilities has been discovered. As a result, tens of thousands of Exchange Servers may have been compromised at this time.

LogRhythm customers can use the information in this blog to learn how to leverage known IOCs related to the Microsoft Exchange zero-day exploits to perform threat hunts against logs collected in the LogRhythm NextGen SIEM. It is also a call to action to enable logging and collect logs to help determine Exchange compromises in the future.

We’ve also included a list of MITRE ATT&CK techniques in the Joint CyberSecurity Advisory: Compromise of Microsoft Exchange Server within the LogRhythm MITRE ATT&CK AIE Module. LogRhythm Admins that had the LogRhythm MITRE ATT&CK AIE Module enabled prior to the Exchange zero-days went public should pay special attention to those events as it pertains to your Exchange infrastructure.

LogRhythm Detection Guidance

Performing a retroactive threat hunt in LogRhythm requires that you have already enabled logging and collected logs from your Exchange Servers involving:

  • Process monitoring (with command line logging)
    • Microsoft Security: Event ID 4688
    • Microsoft Sysmon: Event ID 1
  • File Integrity Monitoring
    • Microsoft Security Event ID 4663
    • LogRhythm SysMon: File Integrity Monitor (FIM)
  • Configure Logging in IIS

Most of Microsoft’s the detection guidance comes in the form of an admin running the Microsoft-provided security scripts and the Microsoft Support Emergency Response Tool (MSERT) tool on your Exchange servers.

In LogRhythm, we advise you to start collecting the following logs from your Exchange environment if you haven’t already. You can search for the same IOCs from Microsoft in LogRhythm if you previously collected the logs in this Microsoft guidance.

It’s likely that more IOCs will be published as time goes on and you will be able to respond much faster during your threat hunting if all the logs were centralized and indexed.

The following sections are broken out to help you identify quickly what log sources from your Exchange environment should be searched for IOCs, and additional IOC resources.

Log Sources for Threat Hunting

You should focus your threat hunts on the following known Log Source Types:

  • LogRhythm SysMon
    • LogRhythm Process Monitor (Windows)
    • LogRhythm File Monitor (Windows)
  • Microsoft Security Event Logs:
    • MS Windows Event Logging – Security
    • MS Windows Event Logging XML – Security
  • Microsoft Application Event Logs:
    • MS Windows Event Logging – Application
    • MS Windows Event Logging XML – Application
  • IIS Logs
    • Flat File – Microsoft IIS W3C File
  • Microsoft Sysmon
    • MS Windows Event Logging XML – Sysmon 8/9/10 (also supports newer versions of MS Sysmon)

Classification and Common Events

You should focus your threat hunts on the following known Classification and Common Events:

  • Classification
    • Audit/Authentication Success
    • Audit/Account Created
    • Audit/Configuration
    • Ops/Error
    • Security/Malware
    • Security/Failed Malware
  • Classification and Common Events
    • Classification: Audit/Startup and Shutdown AND Common Event: Process/Service Started
    • Classification: Access Success AND Common Event Object Modified
    • Classification: Access Success AND File Monitoring Event – Add

The following are resources where you can find IOCs related to the Hafnium attack on Microsoft Exchange:

How to Threat Hunt and Use IOCs in the LogRhythm SIEM

Third Party IOCs

You can learn how to cover action IOCs in LogRhythm in our blog, “How to Detect and Search for SolarWinds IOCs in LogRhythm.” In this blog you will find details on the methods LogRhythm Labs recommends to help detect IOCs and defend their organization against attacks in the LogRhythm SIEM.

MITRE ATT&CK Techniques

The following is a list of MITRE ATT&CK Techniques that were identified in the Joint CyberSecurity Advisory: Compromise of Microsoft Exchange Server. If you have the LogRhythm MITRE ATT&CK module enabled, you should pay special attention to the following techniques observed as events when it applies to your Exchange infrastructure.

  • 001 : Command and Scripting Interpreter: PowerShell
  • T1083 : File and Directory Discovery
  • T1018 : Remote System Discovery
  • T1082 : System Information Discovery
  • T1003 : System Service Discovery
  • 002 : Remote Services: SMB/Windows Admin Shares

Patching Exchange should still be your primary step to remediating the attack surface. Post patching, following the steps in the TL/DR section will effectively identify compromise. Remediation of a compromised system is time consuming. It’s best to assume compromise and implement a Zero Trust security model.

Make sure you are collecting the logs mentioned in the LogRhythm Detection Guidance. If you are collecting the logs previously mentioned, identifying compromise with the given IOCs should take a trivial amount of time.

LogRhythm customers can find resources on deploying the MITRE ATT&CK Module and engage with other users in Forums on the Community.

The post A Guide to Detecting Microsoft Exchange Zero-Day Exploits appeared first on LogRhythm.

*** This is a Security Bloggers Network syndicated blog from LogRhythm authored by Angela Romero. Read the original post at: https://logrhythm.com/blog/guide-to-detecting-microsoft-exchange-zero-day-exploits/