Query Details
Proxy Shell
Query
//Searching for evidence of Microsoft Exchange ProxyShell Flaws. Requires Microsoft Defender for Endpoints connected. DeviceFileEvents | where FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\488617229.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\654253568.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\668544844.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\731294981.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYCESRYBAJPREELGQOQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYSCPPUOWK.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\JVSTGMTCIPJCGR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MQMYUVTNMSZJQEUB.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MWWJJRXXQWDKQGURFMQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\PFLIYH.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RLDVMAGKRJV.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RWXJGN.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\TDIVOXVL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\VQJMZXKL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\XETUQDFHBZXAR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\apfpprmunlpzyhom.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\czhlxfrdbhuqxljd.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\dxtfc.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\eewiq.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\febvx.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\ksrgd.aspx" or FolderPath =="C:\\inetpub\\wwwroot\\aspnet_client\\lsdiv.aspx" //Reference: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit - https://cda.ms/2qP
Explanation
This query is searching for evidence of Microsoft Exchange ProxyShell flaws. It looks for specific file paths related to the flaws in the DeviceFileEvents table. The query requires Microsoft Defender for Endpoints to be connected. The reference provided is a link to more information about the vulnerability.
Details
Rod Trent
Released: August 23, 2021
Tables
DeviceFileEvents
Keywords
DeviceFileEvents,FolderPath
Operators
|==orwhere