Query Details
Proxy Shell Exchange
Query
//Check the Exchange Server for ProxyShell vulnerability scanning W3CIISLog | where csUriStem == "/autodiscover/autodiscover.json" | where csUriQuery has "PowerShell" | where csMethod == "POST"
Explanation
This query checks the Exchange Server logs for any scanning activity related to the ProxyShell vulnerability. It specifically looks for requests made to the "/autodiscover/autodiscover.json" endpoint, with the query parameter containing "PowerShell", and using the HTTP POST method.
Details
Rod Trent
Released: August 24, 2021
Tables
W3CIISLog
Keywords
Exchange,ProxyShell,Vulnerability,Scanning,W3CIISLog,csUriStem,csUriQuery,PowerShell,csMethod,POST
Operators
| where==has