{ "id": "715b854e-1c5e-490b-acd1-714b1b1bdcc5", "created_at": "2026-04-06T00:13:26.406657Z", "updated_at": "2026-04-10T03:35:48.507581Z", "deleted_at": null, "sha1_hash": "5c5f23dfca122214cfa6565b996cd811cb0c1786", "title": "GitHub - cert-lv/exchange_webshell_detection: Detect webshells dropped on Microsoft Exchange servers exploited through \"proxylogon\" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 60893, "plain_text": "GitHub - cert-lv/exchange_webshell_detection: Detect webshells\r\ndropped on Microsoft Exchange servers exploited through\r\n\"proxylogon\" group of vulnerabilites (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065)\r\nBy Andrew Konstantinov\r\nArchived: 2026-04-02 12:16:08 UTC\r\nThis project has been discontinued\r\nPlease use Microsoft tools instead:\r\nMicrosoft Safety Scanner\r\nOther detections and mitigations listed in: https://github.com/microsoft/CSS-Exchange/tree/main/Security\r\nWhen assessing impact we strongly suggest to assume breach and to preemptively examine all MS Exchange\r\nservers that were publically exposed since January, even if there are no signs of active compromise.\r\nNote that data exfiltration and configuration changes were possible (and were happening) just through SSRF part\r\nof the epxloit chain alone (i.e. without achieving code execution, dropping any files or spawning new processes on\r\nthe Exchange host).\r\nUPD: As of March 13, 2021 Windows Defender is detecting this script itself as a Webshell\r\nThis is a false positive, A/V products react to keywords listed in the script. detect_webshells.ps1 is\r\nintentionally written as a standalone file using very simple PowerShell, so that you could inspect it yourself. The\r\nkeywords that (rightly) trigger A/V are listed on line 94. If you do not feel confident that you understand what the\r\nscript is doing, do not run it!\r\nHopefully the fact that antivirus software started detecting this script means it's capable of detecting real webshells\r\nas well, making detect_webshells.ps1 unnecessary. Check that Exchange and inetpub directories are not\r\nwhitelisted though and please realise that webshells where only used for the initial access. Once attackers\r\nachieved code execution they usually deployed additional persistence mechanisms - sometimes even removing\r\ninitial webshell themselves to hide their tracks.\r\nSo don't mistake lack of webshells for lack of compromise - unfortunately your server still might have been\r\nhacked and either attackers removed webshell themselves or an antivirus did that (without completely booting\r\nattackers from your server).\r\nDetect webshells dropped on Microsoft Exchange servers after 0day compromises\r\nhttps://github.com/cert-lv/exchange_webshell_detection\r\nPage 1 of 3\n\nThis script looks for webshells dropped on Microsoft Exchange servers while they were vulnerable to following\r\nCVE's:\r\nCVE-2021-26855, pre-auth SSRF, CVSS:3.0 9.1 / 8.4\r\nCVE-2021-26857, insecure deserialization leading to privilege escalation to SYSTEM level, CVSS:3.0 7.8\r\n/ 7.2\r\nCVE-2021-26858, post-auth file write, CVSS:3.0 7.8 / 7.2\r\nCVE-2021-27065, post-auth file write, CVSS:3.0 7.8 / 7.2\r\nInitial activity during January 2021 was attributed to HAFNIUM, however since then other threat actors got hold\r\nof these exploits and started using them. Prior to public disclosure \u0026 patches being published by Microsoft (since\r\n27 February or so) publically exposed Exchange servers started being exploited indiscriminately. As such,\r\ninstalling latest Exchange updates soon after Microsoft published them did not fully mitigate the risk of prior\r\ncompromise, therefore all Exchange servers should be inspected for signs of unauthorized access.\r\nRunning\r\ndetect_webshells.ps1 will check for the presence of known webshells in typical locations:\r\ninetpub/wwwroot/aspnet_client/ : system wide location, most common place of dropped webshells in\r\ncurrent attacks; normally does not contain any files at all, so presence of anything there is suspicious\r\n$($env:exchangeinstallpath)/Frontend/ : used by more sophisticated attackers in order to blend in with\r\nlegitimate Exchange files (webshells could be added as new files or by modifying existing ones, including\r\nweb.config ); most common locations are /owa/ and /ecp/ , but webshells could be dropped anywhere\r\nwithin Frontend directory\r\nInterpreting the results\r\ndetect_webshells.ps1 only looks for webshells and does not attempt to detect past exploitation events directly\r\n(use https://github.com/microsoft/CSS-Exchange/tree/main/Security and other scripts mentioned below for this),\r\nnor is it looking for particularly stealthy threat actors (which could delete webshells after use or avoid dropping\r\nthem altogether). As such, negative result can only mean absence of evidence of the compromise on this particular\r\nhost. It does not guarantee that the host was not exploited by some other means.\r\nMore information\r\nWriteups/disclosures (incl. IoC):\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nhttps://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/\r\nhttps://us-cert.cisa.gov/ncas/alerts/aa21-062a\r\nhttps://github.com/cert-lv/exchange_webshell_detection\r\nPage 2 of 3\n\nhttps://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/\r\nhttps://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/\r\nNotable detection scripts:\r\nhttps://github.com/microsoft/CSS-Exchange/tree/main/Security (incl. nmap script for remote SSRF\r\ndetection!)\r\nhttps://github.com/soteria-security/HAFNIUM-IOC\r\nhttps://github.com/sgnls/exchange-0days-202103\r\nhttps://github.com/mr-r3b00t/ExchangeMarch2021IOCHunt\r\nhttps://github.com/sgnls/exchange-0days-202103\r\nSource: https://github.com/cert-lv/exchange_webshell_detection\r\nhttps://github.com/cert-lv/exchange_webshell_detection\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://github.com/cert-lv/exchange_webshell_detection" ], "report_names": [ "exchange_webshell_detection" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434406, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c5f23dfca122214cfa6565b996cd811cb0c1786.pdf", "text": "https://archive.orkl.eu/5c5f23dfca122214cfa6565b996cd811cb0c1786.txt", "img": "https://archive.orkl.eu/5c5f23dfca122214cfa6565b996cd811cb0c1786.jpg" } }