← Library
splApache-2.0from splunk/security_content

Exchange PowerShell Abuse via SSRF

The following analytic detects suspicious behavior indicative of ProxyShell exploitation against on-premise Microsoft Exchange servers. It identifies HTTP POST requests to `autodiscover.json` containing `PowerShell` in the URI, leveraging server-side request forgery (SSRF) to access backend PowerShell. This detection uses Exchange server logs ingested into Splunk. Monitoring this activity is crucial as it may indicate an attacker attempting to execute commands or scripts on the Exchange server. If confirmed malicious, this could lead to unauthorized access, privilege escalation, or persistent control over the Exchange environment.

Quality
51
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/exchange_powershell_abuse_via_ssrf.yml
`windows_exchange_iis` c_uri="*//autodiscover*" cs_uri_query="*PowerShell*" cs_method="POST"
  | stats count min(_time) as firstTime max(_time) as lastTime
    BY dest, cs_uri_query, cs_method,
       c_uri
  | `security_content_ctime(firstTime)`
  | `security_content_ctime(lastTime)`
  | `exchange_powershell_abuse_via_ssrf_filter`