5/25/2023 0 Comments Msert tool exchangeIf any of your security detections or the investigation tools results lead you to suspect that your Exchange servers have been compromised and an attacker has actively engaged in your environment, execute your Security Incident Response plans, and consider engaging experienced Incident Response assistance. Our blog post on the Hafnium attack goes into details for folks who need additional details for IOC’s, File Hashes, etc.: HAFNIUM targeting Exchange Servers with 0-day exploits – Microsoft Security If you find any evidence of external access to a suspect file identified above, use this information to drive further investigation on impacted servers and across your environment. ![]() Search your IIS logs to identify whether or not the files identified as malicious have been accessed.Ĭonsider submitting suspected malicious files to Microsoft for analysis following this guidance: Submit files for analysis by Microsoft – Windows security | Microsoft Learn and include the string “ExchangeMarchCVE” in the Additional Information text box of the submission form.Īs part of hunting and scanning, if you find evidence of exploitation of the Unified Messaging RCE (CVE-2021-26857), you should delete potential uncleaned exploit files in %ExchangeInstallPath%\UnifiedMessaging\voicemail Remediate and quarantine them for further investigation unless they are expected customizations in your environment. If you find known bad files using your endpoint security solution, the Microsoft IOC feed, or the Microsoft Safety Scanner, take the following actions: If you find any evidence of exploitation (e.g., in Exchange application logs), ensure you are retaining the logs, and use the details such as timestamps and source IPs to drive further investigation. Be sure to purchase and use anti-malware protection on the Exchange Servers
0 Comments
Leave a Reply. |