Proxy Shell
Query
//Searching for evidence of Microsoft Exchange ProxyShell Flaws. Requires Microsoft Defender for Endpoints connected.
DeviceFileEvents
| where FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\488617229.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\654253568.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\668544844.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\731294981.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYCESRYBAJPREELGQOQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\CYSCPPUOWK.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\JVSTGMTCIPJCGR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MQMYUVTNMSZJQEUB.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\MWWJJRXXQWDKQGURFMQ.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\PFLIYH.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RLDVMAGKRJV.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\RWXJGN.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\TDIVOXVL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\VQJMZXKL.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\XETUQDFHBZXAR.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\apfpprmunlpzyhom.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\czhlxfrdbhuqxljd.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\dxtfc.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\eewiq.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\febvx.aspx" or FolderPath == "C:\\inetpub\\wwwroot\\aspnet_client\\ksrgd.aspx" or FolderPath =="C:\\inetpub\\wwwroot\\aspnet_client\\lsdiv.aspx"
//Reference: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit - https://cda.ms/2qPExplanation
This query is searching for evidence of Microsoft Exchange ProxyShell flaws. It looks for specific file paths related to the flaws in the DeviceFileEvents table. The query requires Microsoft Defender for Endpoints to be connected. The reference provided is a link to more information about the vulnerability.
Details

Rod Trent
Released: August 23, 2021
Tables
DeviceFileEvents
Keywords
DeviceFileEventsFolderPath
Operators
|==orwhere