{ "id": "2e7791fe-6840-4b2c-8319-fc35ae367990", "created_at": "2026-04-06T00:15:45.737555Z", "updated_at": "2026-04-10T03:35:48.518717Z", "deleted_at": null, "sha1_hash": "4203dcc7d28993914a27db2c55f4132f4eb65204", "title": "Mitigate Microsoft Exchange Server Vulnerabilities | CISA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 171069, "plain_text": "Mitigate Microsoft Exchange Server Vulnerabilities | CISA\r\nPublished: 2021-07-19 · Archived: 2026-04-05 17:38:15 UTC\r\nSummary\r\nUpdated July 19, 2021: The U.S. Government attributes this activity to malicious cyber actors affiliated with the People's\r\nRepublic of China (PRC) Ministry of State Security (MSS). Additional information may be found in a statement from the\r\nWhite House. For more information on Chinese malicious cyber activity, refer to us-cert.cisa.gov/China.\r\nNote: This Alert was updated April 13, 2021, to provide further guidance. \r\nCybersecurity and Infrastructure Security Agency (CISA) partners have observed active exploitation of vulnerabilities in\r\nMicrosoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to\r\nexecute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as\r\naccess to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally\r\nenable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to\r\naddress vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers\r\nand are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.\r\nThis Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with\r\nthis malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs\r\nand use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume\r\nnetwork identity compromise and follow incident response procedures. If an organization finds no activity, they should\r\napply available patches immediately and implement the mitigations in this Alert.\r\nClick here for IOCs in STIX format.\r\nTechnical Details\r\n(Updated April 14, 2021): Microsoft's April 2021 Security Update newly discloses and mitigates significant\r\nvulnerabilities affecting on-premises Exchange Server 2013, 2016, and 2019.\r\nMicrosoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:\r\nCVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the\r\nExchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery\r\n(SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.\r\nCVE-2021-26857 , CVE-2021-26858 , and CVE-2021-27065 allow for remote code execution.  \r\nCVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in\r\nExchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could\r\nwrite a file to any path on the server.\r\nCVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker,\r\nauthenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code\r\nas SYSTEM on the Exchange Server.\r\nTo locate a possible compromise of these CVEs, CISA encourages organizations read the Microsoft Advisory.\r\nIt is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment\r\nand download the Active Directory Database.\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 1 of 10\n\n(Updated March 12, 2021): Microsoft Security Intelligence has released a tweet on DearCry ransomware being used to\r\nexploit compromised on-premises Exchange Servers. Ransomware infections can have negative consequences to an affected\r\norganization, including:\r\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\n(Updated April 12, 2021): CISA recommends organizations review Malware Analysis Report (MAR) MAR-10330097-1.v1\r\n– DearCry Ransomware for detailed analysis, along with TTPs and IOCs.\r\n(Updated March 12, 2021): CISA encourages organizations to review CISA’s Ransomware web page for guidance and\r\nresources. Victims of ransomware should report it immediately to CISA at www.us-cert.gov/report, a local FBI Field Office,\r\nor Secret Service Field Office.\r\nTactics, Techniques and Procedures\r\n(Updated March 10, 2021): Microsoft has released a script that scans Exchange log files for IOCs. CISA strongly\r\nencourages organizations to run the Test-ProxyLogon.ps1 script —as soon as possible—to help determine whether their\r\nsystems are compromised.\r\n(Updated March 16, 2021): Note: Microsoft has released the Exchange On-premises Mitigation Tool (EOMT.ps1) that\r\ncan automate portions of both the detection and patching process. Microsoft stated the following along with the release: \"\r\n[the tool is intended] to help customers who do not have dedicated security or IT teams to apply these security updates. We\r\nhave tested this tool across Exchange Server 2013, 2016, and 2019 deployments. This new tool is designed as an interim\r\nmitigation for customers who are unfamiliar with the patch/update process or who have not yet applied the on-premises\r\nExchange security update.” Review the EOMT.ps1 blog post for directions on using the tool.\r\n(Updated March 10, 2021): CISA recommends investigating for signs of a compromise from at least January 1,\r\n2021 through present.\r\n(Updated April 12, 2021): CISA has identified 10 webshells associated with this activity. This is not an all-inclusive list of\r\nwebshells that are being leveraged by actors. CISA recommends organizations review the following MARs for detailed\r\nanalysis of the 10 webshells, along with TTPs and IOCs. These MARs include CISA-developed YARA rules to help network\r\ndefenders detect associated malware.\r\n1. AR21-072A: MAR-10328877.r1.v1: China Chopper Webshell\r\n2. AR21-072B: MAR-10328923.r1.v1: China Chopper Webshell\r\n3. AR21-072C: MAR-10329107.r1.v1: China Chopper Webshell\r\n4. AR21-072D: MAR-10329297.r1.v1: China Chopper Webshell\r\n5. AR21-072E: MAR-10329298.r1.v1: China Chopper Webshell\r\n6. AR21-072F: MAR-10329301.r1.v1: China Chopper Webshell\r\n7. AR21-072G: MAR-10329494.r1.v1: China Chopper Webshell\r\n8. AR21-084A: MAR-10329496-1.v1: China Chopper Webshell\r\n9. AR21-084B: MAR-10329499-1.v1: China Chopper Webshell\r\n10. AR21-102A: MAR-10331466-1.v1: China Chopper Webshell\r\n(Updated March 13, 2021): A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to\r\nenable remote administration of the machine. Webshells are utilized for the following purposes:\r\nTo harvest and exfiltrate sensitive data and credentials;\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 2 of 10\n\nTo upload additional malware for the potential of creating, for example, a watering hole for infection and scanning of\r\nfurther victims;\r\nTo use as a relay point to issue commands to hosts inside the network without direct internet access;\r\nTo use as command-and-control infrastructure, potentially in the form of a bot in a botnet or in support of\r\ncompromises to additional external networks. This could occur if the adversary intends to maintain long-term\r\npersistence.\r\n(Updated March 13, 2021): For more information, see TA15-314A Compromised Web Servers and Web Shells - Threat\r\nAwareness and Guidance.\r\nThe majority of the TTPs in this section are sourced from a blog post from Volexity , a third-party cybersecurity firm.\r\nNote: the United States Government does not endorse any commercial product or service, including any subjects of\r\nanalysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.\r\nVolexity has observed the following files as targets of HTTP POST requests:\r\n/owa/auth/Current/themes/resources/logon.css\r\n/owa/auth/Current/themes/resources/owafont_ja.css\r\n/owa/auth/Current/themes/resources/lgnbotl.gif\r\n/owa/auth/Current/themes/resources/owafont_ko.css\r\n/owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot\r\n/owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf\r\n/owa/auth/Current/themes/resources/lgnbotl.gif\r\nAdministrators should search the ECP server logs for the following string (or something similar):\r\nS:CMD=Set-OabVirtualDirectory.ExternalUrl='\r\nThe logs can be found at \u003cexchange install path\u003e\\Logging\\ECP\\Server\\ .\r\nTo determine possible webshell activity, administrators should search for aspx files in the following paths:\r\n\\inetpub\\wwwroot\\aspnet_client\\ (any .aspx file under this folder or sub folders)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\ecp\\auth\\ (any file besides TimeoutLogoff.aspx )\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\ (any file or modified file that is not part of a standard\r\ninstall)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\ (any aspx file in this folder or subfolders)\r\n\\\u003cexchange install path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\\u003cfolder with version number\u003e\\ (any aspx file in\r\nthis folder or subfolders)\r\nAdministrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents.\r\nThese agents may be useful for incident responders to look at to determine if further investigation is necessary.\r\nThese should not be taken as definitive IOCs:\r\nDuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)\r\nfacebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)\r\nMozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\nMozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)\r\nMozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html\r\nMozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)\r\nMozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)\r\nMozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 3 of 10\n\nMozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+\r\n(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36\r\nVolexity observed these user-agents in conjunction with exploitation to /ecp/ URLs:\r\nExchangeServicesClient/0.0.0.0\r\npython-requests/2.19.1\r\npython-requests/2.25.1\r\nThese user-agents were also observed having connections to post-exploitation web-shell access:\r\nantSword/v2.1\r\nGooglebot/2.1+(+http://www.googlebot.com/bot.html)\r\nMozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\nAs with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange\r\nServers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as\r\ndefinitive IOCs:\r\nPOST /owa/auth/Current/\r\nPOST /ecp/default.flt\r\nPOST /ecp/main.css\r\nPOST /ecp/\u003csingle char\u003e.js\r\nVolexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs)\r\nservers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act\r\naccordingly:\r\n103.77.192[.]219\r\n104.140.114[.]110\r\n104.250.191[.]110\r\n108.61.246[.]56\r\n149.28.14[.]163\r\n157.230.221[.]198\r\n167.99.168[.]251\r\n185.250.151[.]72\r\n192.81.208[.]169\r\n203.160.69[.]66\r\n211.56.98[.]146\r\n5.254.43[.]18\r\n5.2.69[.]14\r\n80.92.205[.]81\r\n91.192.103[.]43\r\nVolexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a\r\ncompromise.\r\nrule webshell_aspx_simpleseesharp : Webshell Unclassified\r\n{\r\n    meta:\r\n        author = \"threatintel@volexity.com\"\r\n        date = \"2021-03-01\"\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 4 of 10\n\ndescription = \"A simple ASPX Webshell that allows an attacker to write further files to disk.\"\r\n        hash = \"893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2\"\r\n     strings:\r\n        $header = \"\u003c%@ Page Language=\\\"C#\\\" %\u003e\"\r\n        $body = \"\u003c% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine\"\r\n     condition:\r\n        $header at 0 and\r\n        $body and\r\n        filesize \u003c 1KB\r\n}\r\n rule webshell_aspx_reGeorgTunnel : Webshell Commodity\r\n{\r\n    meta:\r\n        author = \"threatintel@volexity.com\"\r\n        date = \"2021-03-01\"\r\n        description = \"A variation on the reGeorg tunnel webshell\"\r\n        hash = \"406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928\"\r\n        reference = \"https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx\"\r\n     strings:\r\n        $s1 = \"System.Net.Sockets\"\r\n        $s2 = \"System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get\"\r\n        // a bit more experimental\r\n        $t1 = \".Split(‘|’)\"\r\n        $t2 = \"Request.Headers.Get\"\r\n        $t3 = \".Substring(\"\r\n        $t4 = \"new Socket(\"\r\n        $t5 = \"IPAddress ip;\"\r\n     condition:\r\n        all of ($s*) or\r\n        all of ($t*)\r\n}\r\n rule webshell_aspx_sportsball : Webshell Unclassified\r\n{\r\n    meta:\r\n        author = \"threatintel@volexity.com\"\r\n        date = \"2021-03-01\"\r\n        description = \"The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.\"\r\n        hash = \"2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a\"\r\n     strings:\r\n        $uniq1 = \"HttpCookie newcook = new HttpCookie(\\\"fqrspt\\\", HttpContext.Current.Request.Form\"\r\n        $uniq2 = \"ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=\"\r\n         $var1 = \"Result.InnerText = string.Empty;\"\r\n        $var2 = \"newcook.Expires = DateTime.Now.AddDays(\"\r\n        $var3 = \"System.Diagnostics.Process process = new System.Diagnostics.Process();\"\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 5 of 10\n\n$var4 = \"process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\\\"\"\n $var5 = \"else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\\\"\"\n $var6 = \"\"\n condition:\n any of ($uniq*) or\n all of ($var*)\n}\nA list of webshell hashes have also been provided by Microsoft:\nb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\n097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\n2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\n65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\n511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\n4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\n811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\n1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\nNote: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased\nIP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network\ntraffic, may nevertheless have been compromised. CISA recommends following the guidance located in the Microsoft\nAdvisory to check your servers for any signs of a compromise.\nConduct Forensic Analysis\nShould your organization see evidence of compromise, your incident response should begin with conducting forensic\nanalysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic\nanalysis using various tools.\nAlthough the following free tools are not endorsed by the Federal Government, incident responders commonly use them to\nperform forensics.\nWhile collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected\nand that minimize impact to the operating system itself.\nIdeally, during data collection, store the data on removable/external media and, when possible, run the artifact collection\ntools from the same media.\nKey artifacts for triage that should be collected:\nMemory\nAll registry hives\nAll windows event logs\nAll web logs\nMemory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft).\nRegistry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll\nArtifact Parser And Extractor [KAPE]).\nWeb logs can also be collected with a variety of open source tools (e.g., FTK Imager).\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\nPage 6 of 10\n\nWindows Artifact Collection Guide\r\nExecute the following steps in order.\r\n1) Download the latest FTK Imager from https://accessdata.com/product-download/ .\r\nNote: Ensure your review of and compliance with the applicable license associated with the product referenced,\r\nwhich can be found in the product’s User Guide. The United States Government does not endorse any commercial\r\nproduct or service, including any subjects of analysis. Any reference to specific commercial products, processes, or\r\nservices by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement,\r\nrecommendation, or favoring by the United States Government.\r\n2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions.\r\nNote: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from\r\nexternal drive. Wait until memory collect is complete before proceeding to step 2.\r\n3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a\r\nseparate system; do not download KAPE to the target system. Run KAPE from external drive.\r\n4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK\r\nImager.exe from the “FTK Imager” folder from external drive.\r\nMemory Capture with FTK Imager\r\n1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.”\r\nNote: Ensure your review of and compliance with the applicable license associated with the product referenced. The\r\nUnited States Government does not endorse any commercial product or service, including any subjects of analysis.\r\nAny reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or\r\notherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States\r\nGovernment.\r\n2) Open “Capture Memory.\" Select “Capture Memory…” from the File menu.\r\nFigure 1: FTK Imager – Capture Memory Command\r\n3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the\r\nmemory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will\r\nprevent the saved file from overwriting any dataspace on the system.\r\nName the destination file with a descriptive name (i.e., hostname of the system).\r\nSelect the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system.\r\nDo not select “Create AD1 file.”\r\nFigure 2: FTK Imager – Memory Capture\r\n4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes\r\ndepending on the size of the pagefile and the amount of memory on the system.\r\nFigure 3: FTK Imager – Capture Process\r\nKAPE Collection Procedure [1 ]\r\n1) Download KAPE from https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape .\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 7 of 10\n\n2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss\r\nprevention (DLP) mechanisms that restrict utilization of removable media.\r\nEnable antivirus and host protection once this process is completed.\r\n3) Unzip Kape.zip and run gkape.exe as admin from your removable media\r\n4) Target source should be the drive on which the OS resides, typically C:.\r\n5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an\r\nexternal hard drive or flash drive.\r\nA KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB.\r\nIf you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target\r\ndestination folder is unique for each execution of KAPE.\r\n6) Uncheck Flush checkbox (it is checked natively).\r\n7) Check Add %d and Add %m checkboxes.\r\n8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time;\r\nuse the down arrow and space bar to move through the list quickly.\r\n9) Check Process VSCs checkbox.\r\n10) Select Zip radio button and add Base name TargetOutput.\r\n11) Ensure Deduplicate checkbox is checked (it is checked natively).\r\nAt the bottom you should now see a large Current command line, similar to:\r\n.\\kape.exe --tsource C: --tdest E:\\%d%m --tflush --target\r\n!BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes,\r\nMcAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE,\r\nWebroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord,\r\nDropbox,\r\nExchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepa\r\nOneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs,\r\nChrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs,\r\nMSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks,\r\nGigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs,\r\nEncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs,\r\nEvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles,\r\nMOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin,\r\nRecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB,\r\nSignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall, \r\nWindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints --vss --zip TargetOutput –gui\r\nIn the bottom right corner hit the Execute! Button.\r\nScreenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE\r\nusually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an\r\nissue.\r\nFigure 4: gkape.exe screenshot\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 8 of 10\n\nMitigations\r\nCISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how\r\nto look for this malicious activity and to apply critical patches as soon as possible.\r\n(Updated March 4, 2021): CISA is aware of threat actors using open source tools to search for vulnerable Microsoft\r\nExchange Servers. This particular type of attack is scriptable, allowing attackers to easily exploit vulnerabilities through\r\nautomated mechanisms. CISA advises all entities to patch as soon as possible to avoid being compromised.  \r\n(Updated March 4, 2021): From Microsoft's patch release , the security updates are available for the following operating\r\nsystems:\r\nExchange Server 2010 (update requires SP 3 or any SP 3 RU – this is a Defense in Depth update)\r\nExchange Server 2013 (update requires CU 23)\r\nExchange Server 2016 (update requires CU 19 or CU 18)\r\nExchange Server 2019 (update requires CU 8 or CU 7)\r\n(Updated March 4, 2021): If you are running an older CU then what the patch will accept, you must upgrade to at least the\r\nrequired CU as stated above then apply the patch. \r\n(Updated March 4, 2021): All patches must be applied using administrator privileges.\r\n \r\n(Updated March 5, 2021): If patching is not an immediate option, CISA strongly recommends following alternative\r\nmitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations . However, these options should\r\nonly be used as a temporary solution, not a replacement for patching. Additionally, there are other mitigation options\r\navailable. CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:\r\nRestrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access;\r\nnote that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your\r\nnetwork.\r\nBlock external access to on-premises Exchange:\r\nRestrict external access to OWA URL: /owa/ .\r\nRestrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL:/ecp/ .\r\n(Updated March 4, 2021): Disconnect vulnerable Exchange servers from the internet until a patch can be applied.\r\nCISA would like to thank Microsoft and Volexity for their contributions to this Alert.\r\nResources\r\n(Updated April 14, 2021) Microsoft's April 2021 Security Update that mitigates significant vulnerabilities affecting\r\non-premises Exchange Server 2013, 2016, and 2019.\r\n(Updated March 12, 2021) Check my OWA tool for checking if a system has been affected. Disclaimer: this tool\r\ndoes not check against an exhaustive list of compromised domains. It is meant for informational purposes only. The\r\nUnited States Government does not provide any warranties of any kind regarding this information and cannot assure\r\nits accuracy or completeness; therefore, entities should not rely solely on this information to justify foregoing CISA’s\r\nrecommendations for action described on this webpage.\r\nMicrosoft Advisory: https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\r\nMicrosoft Security Blog - Hafnium targeting Exchange Servers:\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\r\nVolexity Blog: https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 9 of 10\n\nMicrosoft’s blog on Exchange Server Vulnerabilities Mitigations: https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/\r\nReferences\r\nEric Zimmerman: KAPE Documentation\r\nRevisions\r\nMarch 3, 2021: Initial Version|March 4, 2020: Updated Mitigations and Technical Details sections|March 5, 2021: Updated\r\nMitigations Guidance from Microsoft|March 10, 2021: Updated TTP Section|March 12, 2021: Updated Resources\r\nSection|March 12, 2021: Added information on DearCry Ransomware |March 13, 2021: Added seven China Chopper\r\nWebshell MARs|March 14, 2021: Updated information on DearCry Ransomware|March 16, 2021: Added information on\r\nEOMT tool|March 25, 2021: Added two China Chopper Webshell MARs|March 25, 2021: Updated MARs to include YARA\r\nRules|March 31, 2021: Added links to ED 21-02 and ED 21-02 Supplemental Direction|April 12, 2021: Added one China\r\nChopper Webshell MAR and one DearCry Ransomware MAR|April 13, 2021: Added links to Microsoft's April 2021\r\nSecurity Update and ED 21-02 Supplemental Direction V2|April 14, 2021: Added Exchange Server 2013 to list of on-premises Exchange Servers affected by the vulnerabilities dislcosed on April 13, 2021. |July 19, 2021: Added attribution\r\nnote\r\nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nPage 10 of 10\n\nEric Zimmerman: Revisions KAPE Documentation \nMarch 3, 2021: Initial Version|March 4, 2020: Updated Mitigations and Technical Details sections|March 5, 2021: Updated\nMitigations Guidance from Microsoft|March 10, 2021: Updated TTP Section|March 12, 2021: Updated Resources\nSection|March 12, 2021: Added information on DearCry Ransomware |March 13, 2021: Added seven China Chopper\nWebshell MARs|March 14, 2021: Updated information on DearCry Ransomware|March 16, 2021: Added information on\nEOMT tool|March 25, 2021: Added two China Chopper Webshell MARs|March 25, 2021: Updated MARs to include YARA\nRules|March 31, 2021: Added links to ED 21-02 and ED 21-02 Supplemental Direction|April 12, 2021: Added one China\nChopper Webshell MAR and one DearCry Ransomware MAR|April 13, 2021: Added links to Microsoft's April 2021\nSecurity Update and ED 21-02 Supplemental Direction V2|April 14, 2021: Added Exchange Server 2013 to list of on\u0002\npremises Exchange Servers affected by the vulnerabilities dislcosed on April 13, 2021. |July 19, 2021: Added attribution\nnote \nSource: https://us-cert.cisa.gov/ncas/alerts/aa21-062a \n Page 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://us-cert.cisa.gov/ncas/alerts/aa21-062a" ], "report_names": [ "aa21-062a" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434545, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4203dcc7d28993914a27db2c55f4132f4eb65204.pdf", "text": "https://archive.orkl.eu/4203dcc7d28993914a27db2c55f4132f4eb65204.txt", "img": "https://archive.orkl.eu/4203dcc7d28993914a27db2c55f4132f4eb65204.jpg" } }