diff --git a/README.md b/README.md index eb95052..cb7417d 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,17 @@ # Search-ExchangeProxyNotShell Search for Exchange Zero-Day ProxyNotShell IOCs + +## Usage +Download and copy this script to an Excchange Server. +Run this script: + +``` +.\Search-ExchangeProxyNotShell.ps1 +``` + +## Tested Exchange / Windows Server Versions + - Exchange Server 2019 + - Windows Server 2022 + +## Website + [FrankysWeb](https://www.frankysweb.de/exchange-zero-day-angriff-per-powershell-feststellen/) \ No newline at end of file diff --git a/Search-ExchangeProxyNotShell.ps1 b/Search-ExchangeProxyNotShell.ps1 new file mode 100644 index 0000000..fb12b8b --- /dev/null +++ b/Search-ExchangeProxyNotShell.ps1 @@ -0,0 +1,88 @@ +write-host " +------------------------------------------------------ +Checking for suspicious files... +------------------------------------------------------ +" + +$SuspiciousFiles = @( +"C:\root\DrSDKCaller.exe", +"C:\Users\Public\all.exe", +"C:\Users\Public\dump.dll", +"C:\Users\Public\ad.exe", +"C:\PerfLogs\gpg-error.exe", +"C:\PerfLogs\cm.exe", +"C:\Program Files\Common Files\system\ado\msado32.tlb" +) + +foreach ($SuspiciousFile in $SuspiciousFiles) { + if (test-path $SuspiciousFile) { + write-host "Suspicious File $SuspiciousFile found!" -foregroundcolor red + } + else { + write-host "Suspicious File $SuspiciousFile not found!" -foregroundcolor green + } +} + +write-host " +------------------------------------------------------ +Checking IIS Logs for IOCs... (this can take some time) +------------------------------------------------------ +" +Import-Module WebAdministration +$IISLogdir = (get-item "IIS:\Sites\Default Web Site").logfile.directory +if ($IISLogdir -match "%SystemDrive%") { + $IISLogdir = $IISLogdir.replace("%SystemDrive%","c:") +} +$IOCs = Get-ChildItem -Recurse -Path $IISLogdir -Filter "*.log" | Select-String -Pattern 'powershell.*autodiscover\.json.*\@.*200' +if ($IOCs) { + write-host "IOC powershell.*autodiscover\.json.*\@.*200 found in IIS Logs" -foregroundcolor red +} +else { + write-host "IOC powershell.*autodiscover\.json.*\@.*200 not found in IIS Logs" -foregroundcolor green +} +write-host " +------------------------------------------------------ +Checking for WebShells... +------------------------------------------------------ +" +$Webshell1 = [PSCustomObject]@{ + ID = 1 + Name = "FrontEnd\HttpProxy\owa\auth\pxh4HG1v.ashx" + Hash = "c838e77afe750d713e67ffeb4ec1b82ee9066cbe21f11181fd34429f70831ec1" +} +$Webshell2 = [PSCustomObject]@{ + ID = 2 + Name = "FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx" + Hash = "65a002fe655dc1751add167cf00adf284c080ab2e97cd386881518d3a31d27f5" +} +$Webshell3 = [PSCustomObject]@{ + ID = 3 + Name = "FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx" + Hash = "b5038f1912e7253c7747d2f0fa5310ee8319288f818392298fd92009926268ca" +} +$Webshell4 = [PSCustomObject]@{ + ID = 4 + Name = "FrontEnd\HttpProxy\owa\auth\errorEE.aspx" + Hash = "be07bd9310d7a487ca2f49bcdaafb9513c0c8f99921fdf79a05eaba25b52d257" +} +[System.Collections.ArrayList]$WebShellArray = @() +$WebShellArray.Add($Webshell1) | out-null +$WebShellArray.Add($Webshell2) | out-null +$WebShellArray.Add($Webshell3) | out-null +$WebShellArray.Add($Webshell4) | out-null + +foreach ($WebShell in $WebShellArray) { + $WebshellPath = "$exinstall" + $WebShell.Name + if (test-path $WebshellPath) { + $FileHash = (Get-FileHash $WebshellPath).Hash.ToLower() + if ($Webshell.Hash -eq $FileHash) { + write-host "WebShell File $WebshellPath found!" -foregroundcolor red + } + else { + write-host "WebShell File $WebshellPath not found!" -foregroundcolor green + } + } + else { + write-host "WebShell File $WebshellPath not found!" -foregroundcolor green + } +} \ No newline at end of file