-3

I patched on 3/3

This just looks like we were probed and not compromised, can some one please confirm? I'm not sure how to interpret this.

Ran Test-Hafnium.ps1

Contents of CVE-2021-26855.log

#TYPE Selected.System.Management.Automation.PSCustomObject
"DateTime","AnchorMailbox"
"2021-03-02T09:50:56.279Z","ServerInfo~a]@Exchange001.contoso.com:444/autodiscover/autodiscover.xml?#"

edit: The scan found the following entry


2021-03-02T09:50:56.279Z,5f083d36-1b8a-489b-9bdc-e3859dea08f4,15,1,2106,2,,Ecp,207.207.49.16,/ecp/y.js,,FBA,false,,,ServerInfo~a]@Exchange001.contoso.com:444/autodiscover/autodiscover.xml?#,ExchangeServicesClient/0.0.0.0,157.230.221.198,EXCHANGE001,200,200,,POST,Proxy,exchange001.contoso.com,15.00.0001.000,IntraForest,X-BEResource-Cookie,,,,347,362,,,0,0,,0,,0,,0,0,,0,295,0,0,17,0,274,0,0,0,1,0,294,1,274,4,21,21,295,,,,BeginRequest=2021-03-02T09:50:55.983Z;CorrelationID=<empty>;ProxyState-Run=None;FEAuth=BEVersion-1941962753;NewConnection=::1&0;BeginGetRequestStream=2021-03-02T09:50:55.983Z;OnRequestStreamReady=2021-03-02T09:50:55.998Z;BeginGetResponse=2021-03-02T09:50:55.998Z;OnResponseReady=2021-03-02T09:50:56.279Z;EndGetResponse=2021-03-02T09:50:56.279Z;ProxyState-Complete=ProxyResponseData;SharedCacheGuard=0;EndRequest=2021-03-02T09:50:56.279Z;,,,,,,CafeV1

In the following file


"\\exchange001.contoso.com\C$\Program Files\Microsoft\Exchange Server\V15\Logging\HttpProxy\Ecp\HttpProxy_2021030209-1.LOG"

I did not find any entries for Administrator@domain.com in any of the log files

Davidw
  • 1,210
  • 3
  • 14
  • 24
kausner
  • 57
  • 5
  • Please add more detail to assist us in answering. – Dave M Mar 04 '21 at 18:34
  • edited original post @DaveM – kausner Mar 04 '21 at 18:54
  • 1
    In the case of CVE-2021-26855 exploit, the `AuthenticatedUser` is empty, so you won't find any Administrator entries. You should look around for web shells and archives indicating data extraction, as described in the [Microsoft security blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/) – Lacek Mar 04 '21 at 22:33
  • Make sure you have updated your Exchange server to the latest version and applied the security patch. Follow the steps introduced in the above link especially the part Can I determine if I have been compromised by this activity? And also refer to the FAQ about this issue here https://docs.microsoft.com/en-us/answers/questions/298536/faq-for-march-2021-exchange-server-security-update.html – joyceshen Mar 05 '21 at 06:23

1 Answers1

0

You should review the logs attached to the service accessed - in this instance, the autodiscover logs in the %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging directory.

More details about what to look for from an attack are available here:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Under "Attack details".

John H
  • 21
  • 6