Skip to content
This repository has been archived by the owner on Mar 16, 2021. It is now read-only.

Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit


Git stats


Failed to load latest commit information.
Latest commit message
Commit time

This project has been discontinued

Please use Microsoft tools instead:

When assessing impact we strongly suggest to assume breach and to preemptively examine all MS Exchange servers that were publically exposed since January, even if there are no signs of active compromise.

Note that data exfiltration and configuration changes were possible (and were happening) just through SSRF part of the epxloit chain alone (i.e. without achieving code execution, dropping any files or spawning new processes on the Exchange host).

UPD: As of March 13, 2021 Windows Defender is detecting this script itself as a Webshell

This is a false positive, A/V products react to keywords listed in the script. detect_webshells.ps1 is intentionally written as a standalone file using very simple PowerShell, so that you could inspect it yourself. The keywords that (rightly) trigger A/V are listed on line 94. If you do not feel confident that you understand what the script is doing, do not run it!

Hopefully the fact that antivirus software started detecting this script means it's capable of detecting real webshells as well, making detect_webshells.ps1 unnecessary. Check that Exchange and inetpub directories are not whitelisted though and please realise that webshells where only used for the initial access. Once attackers achieved code execution they usually deployed additional persistence mechanisms - sometimes even removing initial webshell themselves to hide their tracks.

So don't mistake lack of webshells for lack of compromise - unfortunately your server still might have been hacked and either attackers removed webshell themselves or an antivirus did that (without completely booting attackers from your server).

Detect webshells dropped on Microsoft Exchange servers after 0day compromises

This script looks for webshells dropped on Microsoft Exchange servers while they were vulnerable to following CVE's:

Initial activity during January 2021 was attributed to HAFNIUM, however since then other threat actors got hold of these exploits and started using them. Prior to public disclosure & patches being published by Microsoft (since 27 February or so) publically exposed Exchange servers started being exploited indiscriminately. As such, installing latest Exchange updates soon after Microsoft published them did not fully mitigate the risk of prior compromise, therefore all Exchange servers should be inspected for signs of unauthorized access.


detect_webshells.ps1 will check for the presence of known webshells in typical locations:

  • inetpub/wwwroot/aspnet_client/: system wide location, most common place of dropped webshells in current attacks; normally does not contain any files at all, so presence of anything there is suspicious
  • $($env:exchangeinstallpath)/Frontend/: used by more sophisticated attackers in order to blend in with legitimate Exchange files (webshells could be added as new files or by modifying existing ones, including web.config); most common locations are /owa/ and /ecp/, but webshells could be dropped anywhere within Frontend directory

Interpreting the results

detect_webshells.ps1 only looks for webshells and does not attempt to detect past exploitation events directly (use and other scripts mentioned below for this), nor is it looking for particularly stealthy threat actors (which could delete webshells after use or avoid dropping them altogether). As such, negative result can only mean absence of evidence of the compromise on this particular host. It does not guarantee that the host was not exploited by some other means.

More information

Writeups/disclosures (incl. IoC):

Notable detection scripts:


Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)







No releases published


No packages published