Microsoft continues to monitor and analyse strikes exploiting the recent on-premises Exchange Server vulnerabilities. These attacks are now performed by multiple threat performers ranging from financially motivated cybercriminals to state-sponsored groups. To help customers who are not able to immediately install updates, Microsoft released a one-click tool that automatically mitigates one of the vulnerabilities and scans servers for known strikes. Microsoft likewise built this capability into Microsoft Defender Antivirus, expanding the reach of the mitigation. As of today, we have seen a significant decrease in the number of still-vulnerable servers- more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities.

As organizations recover from this incident, we continue to publish guidance and share threat intelligence to help detect and evict threat performers from affected environments. Today, we are sharing intelligence about what some attackers did after exploit the vulnerable servers, ranging from ransomware to data exfiltration and deployment of various second-stage warheads. This blog embraces 😛 TAGEND

Threat intelligence and technical details about known onslaughts, including components and attack tracks, that defenders can use to investigate whether on-premises Exchange servers were compromised before they were patched and to comprehensively respond to and remediate these threats if they appreciate them in their environments. Detecting and automatic remediation built into Microsoft Defender Antivirus and how investigation and remediation abilities in solutions like Microsoft Defender for Endpoint can help responders perform additional hunting and remediate threats.

Although the overall numbers of ransomware have remained extremely small to this point, it is important to remember that these threats show how quickly attackers can pivot their campaigns to are benefiting from newly disclosed vulnerabilities and target unpatched systems, demonstrating how critical it is for organizations to apply security updates as soon as possible. We strongly urge organizations to identify and update vulnerable on-premises Exchange servers, and to follow mitigation and investigation counseling that we have collected and continue to update here: https :// aka.ms/ ExchangeVulns.

Mitigating post-exploitation activities

The first known assaults leveraging the Exchange Server vulnerabilities were by the nation-state actor HAFNIUM, which we detailed in this blog. In the three weeks after the Exchange server vulnerabilities were disclosed and security rights updates were released, Microsoft saw numerous other attackers adopting the exploit into their toolkits. Attackers are known to rapidly work to reverse engineer patches and develop exploits. In the case of a remote code executing( RCE) vulnerability, the rewards are high for attackers who can gain access before an organization patches, as patching a system does not necessarily remove the access of the attacker.

Figure 1. The Exchange Server exploit chain

In our investigation of the on-premises Exchange Server attacks, we discovered systems being affected by multiple menaces. Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, indicating attackers could be establishing and keeping their access for potential later actions. These acts might involve performing follow-on assaults via perseverance on Exchange servers they have already compromised, or using credentials and data stolen during these attacks to compromise networks through other enter vectors.

Attackers who includes the exploit in their toolkits, whether through modifying public proof of concept exploits or their own research, capitalise on their window of opportunity to gain access to as many systems as they could. Some attackers were advanced enough to remove other attackers from the systems and use multiple persistence points to maintain access to a network.

We have constructed protections against these threats into Microsoft security answers. Refer to the Appendix for a list of indicators of compromise, detection details, and advanced hunting queries. We have also additional tools and investigation and remediation counseling here: https :// aka.ms/ exchange-customer-guidance.

While performing a full investigation on systems is recommended, the following themes are common in many of the attacks. These are predominating threat tendencies that Microsoft has been monitoring, and present solutions and recommendations for prevention and mitigation apply 😛 TAGEND

Web shells- As of this writing, many of the unpatched systems we find had multiple web shells on them. Microsoft has been tracking the rise of web shell assaults for the past few years, ensuring our products see these threats and furnishing remediation counseling for customers. For more info on web shells, read Web shell attacks continue to rise. We have also published guidance on web shell threat hunting with Azure Sentinel. Human-operated ransomware- Ransomware attacks pose some of the biggest security risks for organizations today, and attackers behind these attacks were quick to are benefiting from the on-premises Exchange Server vulnerabilities. Successfully exploiting the vulnerabilities devotes attackers the ability to launch human-operated ransomware campaigns, a trend that Microsoft has been closely monitoring. For more information about human-operated ransomware attacks, including Microsoft answers and guidance for improving defenses, read: Human-operated ransomware attacks. Credential theft- While credential steal is not the immediate aim of some of these attacks, access to Exchange servers allowed attackers to access and potentially steal credentials present on information systems. Attackers can use these stolen credentials for follow-on assaults later, so organizations need to prioritize identifying and remediating impacted identities. For more information, read best practises for house credential hygiene.

In the following sections, we share our analysis of known post-compromise activities associated with exploitation of the Exchange server vulnerabilities because it is helpful to understand these TTPs, in order to defend against other actors apply similar tactics or tools. While the different levels of disruptive post-compromise activity like ransomware may be limited at the time of this writing, Microsoft will continue to track this space and share information with the community. It’s important to note that with some post-compromise techniques, attackers may gain highly privileged lingering access, but many of the impactful subsequent attacker activities can be mitigated by exercise the principle of least privilege and mitigating lateral movement.

DoejoCrypt ransomware

DoejoCrypt was the first ransomware to appear to take advantage of the vulnerabilities, starting to encrypt in limited numbers shortly after the spots were liberated. Ransomware attackers often use multiple tools and exploits to gain initial access, including buy access through a broker or “reseller” who sells access to systems they have already compromised. The DoejoCrypt assaults start with a variant of the Chopper web shell being deployed to the Exchange server post-exploitation.

The web shell writes a batch file to C :\ Windows \ Temp \ xx.bat. Found on all systems that received the DoejoCrypt ransomware warhead, this batch file performs a backup of the Security Account Manager( SAM) database and the System and Security registry hives, letting the attackers later access to passwords of local consumers on the system and, more critically, in the LSA Secret portion of the registry, where passwords for services and scheduled duties are stored.

Figure 2. xx.bat

Given configurations that administrators typically use on Exchange servers, many of the compromised systems are likely to have had at least one service or scheduled undertaking configured with a highly privileged account to perform actions like backups. As service account credentials are not frequently altered, he was able to provide a great advantage to an attacker even if they lose their initial web shell access due to an antivirus detecting, as the account can be used to elevate privileges later, which is why we strongly recommend operating under the principle of least privileged access.

The batch file saves the registry hives to a semi-unique location, C :\ windows \ temp \ debugsms, assembles them into a CAB file for exfiltration, and then cleans up the folders from the system. The file likewise enables Windows Remote Management and specifies up an HTTP listener, indicating the attacker might take advantage of the internet-facing nature of an Exchange Server and use this method for later access if other tools are removed.

Figure 3. xx.bat actions

The xx.bat file has been run on many more systems than have been ransomed by the DoejoCrypt attacker, meaning that, while not all systems have moved to the ransom stage, the attacker has gained access to multiple credentials. On systems where the attacker moved to the ransom stage, we realized reconnaissance commands being run via the same web shell that dopped the xx.bat file( in such instances, a version of Chopper ):

Figure 4. DoejoCrypt recon command

After these commands are completed, the web shell drops a new warhead to C :\ Windows \ Help which, like in many human-operated ransomware campaigns, leads to the attack framework Cobalt Strike. In observed instances, the downloaded payload is shellcode with the file name new4 43. exe or Direct_Load.exe. When operated, this payload injects itself into notepad.exe and reaches out to a C2 to download Cobalt Strike shellcode.

Figure 5. DoejoCrypt ransomware attack chain

During the hands-on-keyboard stage of the attack, a new warhead is downloaded to C :\ Windows \ Help with names like s1. exe and s2. exe. This payload is the DoejoCrypt ransomware, which utilizes a. CRYPT extension for the freshly encrypted files and a very basic readme.txt ransom note. In some instances, the time between xx.bat being plummeted and a ransomware warhead running was under half an hour.

Figure 6. DoejoCrypt ransom note

While the DoejoCrypt payload is the most visible outcome of this attackers’ activities, the be made available to credentials they have gained could serve them for future campaigns if organizations do not reset credentials on compromised systems. An additional overlapping activity observed on systems where xx.bat was present and the attackers were able to get Domain Administrator rights was the running of scripts to snapshot Active Directory with ntdsutil–an action that, if executed successfully, could give the attackers access to all the passwords in Active Directory from a single compromised system.

Lemon Duck botnet

Cryptocurrency miners were some of the first warheads we observed being has decreased by attackers from the post-exploit web shells. In the first few days after security rights updates were released, we observed multiples cryptocurrency miner campaigns, which had been previously targeting SharePoint servers, add Exchange Server exploitation to their repertoire. Most of these coin miners were deviations on XMRig miners, and many arrived via a multi-featured implant with the capability to download new warheads or even move laterally.

Lemon Duck, a known cryptocurrency botnet named for a variable in its code, dove into the Exchange exploit action, adopting different exploit styles and choosing to use a fileless/ web shell-less alternative of direct PowerShell commands from w3wp( the IIS worker process) for some attacks. While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner.

Using a shape of the attack that allows direct executing of commands versus plummeting a web shell, the Lemon Duck operators operated standard Invoke Expression commands to download a payload. Having used the same C2 and download servers for some time, the operators applied a varied degree of obfuscation to their commands on execution.

Fig 7. Example executings of Lemon Duck payload downloads

The Lemon Duck payload is an encoded and obfuscated PowerShell script. It first removes various security products from information systems, then creates scheduled duties and WMI Event subscription for persistence. A second script is downloaded to attempt to sidestep Microsoft Defender Antivirus, mistreating their administrative access to run the Set-MPPreference command to disable real-time monitoring( a tactic that Microsoft Defender Tamper protection blocks) and add scanning exclusions for the C :\ drive and the PowerShell process.

Figure 8. Lemon Duck payloads

One arbitrarily named scheduled duty connects to a C2 every hour to download a new warhead, which includes various lateral motion and credential theft tools. The operators were considered to download RATs and information stealers, including Ramnit payloads.

Figure 9. Lemon Duck post-exploitation activities

In some instances, the operators took advantage of having compromised mail servers to access mailboxes and mail emails containing the Lemon Duck payload utilizing various colorful email subjects.

Figure 10. Email subjects of possibly malicious emails

Figure 11. Attachment variables

In one notable instance, the Lemon Duck operators compromised a system that are currently had xx.bat and a web shell. After establishing persistence on information systems in a non-web shell method, the Lemon Duck operators were observed cleaning up other attackers’ presence on the system and mitigating the CVE-2 021 -2 6855( SSRF) vulnerability using a legitimate cleanup script that they hosted on their own malicious server. This action avoids further exploitation of the server and removes web shells, making Lemon Duck exclusive access to the compromised server. This stresses the need to fully investigate systems that were uncovered, even if they have been fully patched and mitigated, per traditional incident response process.

Pydomer ransomware

While DoejoCrypt was a new ransomware payload, the access gained by attackers via the on-premises Exchange Server vulnerabilities will likely become part of the complex cybercriminal economy where additional ransomware operators and affiliates take advantage of it. The first existing ransomware household to capitalize on the vulnerabilities was Pydomer. This ransomware household was previously seen using vulnerabilities in onslaughts , notably taking advantage of Pulse Secure VPN vulnerabilities, for which Pulse Secure has liberated security spots, to steal credentials and perform ransomware attacks.

In this campaign, the operators scanned and mass-compromised unpatched Exchange Servers to drop a web shell. They started later than some other attackers, with many compromises resulting between March 18 and March 20, a window when fewer unpatched systems provide an opportunity. They then dropped a web shell, with a notable file name format: “Chack[ Word ][ Country abbreviation] ” 😛 TAGEND

Figure 12. Example web shell names find being used by the Pydomer attackers

These web shells were observed on around 1,500 systems , not all of which moved to the ransomware stage. The attackers then applied their web shell to dump a test.bat batch file that performed a similar function in the attack chain to the xx.bat of the DoejoCrypt operators and allowed them to perform a dump of the LSASS process.

Figure 13. Pydomer post-exploitation activities

This access alone would be valuable to attackers for later attempts, similar to the credentials gained during their use of Pulse Secure VPN vulnerabilities. The highly privileged credentials is obtained from an Exchange system are likely to contain domain administrator accounts and service accounts with backup privileges, signifying these attackers could perform ransomware and exfiltration actions against the networks they compromised long after the Exchange Server is patched and even enter via different means.

On systems where the attackers did move to second-stage ransomware runnings, they utilized a Python script compiled to an executable and the Python cryptography libraries to encrypt files. The attackers then executed a PowerShell script via their web shell that acts as a downloader and distribution mechanism for the ransomware.

Figure 14. PowerShell downloader and spreader used to get the Pydomer payload

The script retrieves a payload from a site hosted on a realm generation algorithm( DGA) domain, and attempts to spread the warhead throughout the network, first attempting to spread the warhead over WMI applying Invoke-WMIMethod to attempt to connect to systems, and falling back to PowerShell remoting with Enter-PSSession if that fails. The script is run within the context of the web shell, which in most instances is Local System, so this lateral movement strategy is unlikely to work except in organizations that are running highly insecure and unrecommended configurations like having computer objects in highly privileged groups.

The Pydomer ransomware is a Python script compiled to an executable and uses the Python cryptography libraries to encrypt files. The ransomware encrypts the files and appends a random expansion, and then plummets a ransom note named decrypt_file.TxT.

Figure 15. Pydomer ransom note

Interestingly, the attackers seem to have deployed a non-encryption extortion strategy. Following well-known ransomware groups like Maze and Egregor which leaked data for pay, the Pydomer hackers dropped an alternative readme.txt onto systems without encrypting files. This option might have been semi-automated on their part or a side effect of a failing in their encryption process, as some of the systems they accessed were exam systems that demonstrated no data exfiltration. The note should be taken seriously if encountered, as the attackers had full be made available to systems and were likely able to exfiltrate data.

Figure 16. Pydomer extortion readme.txt

Credential theft, turf campaigns, and bird-dog perseverance

If a server is not running in a least-privilege configuration, credential crime could provide a significant return on investment for an attacker beyond their initial access to email and data. Many organizations have backup agent software and scheduled undertakings operating on these systems with domain admin-level permissions. For these organizations, the attackers might be able to harvest highly privileged credentials without lateral motion, for example, using the COM services DLL as a living-off-the-land binary to perform a dump of the LSASS process 😛 TAGEND

Figure 17. Use of COM services DLL to dump LSASS process

The number of observed credential crime assaults, combined with high privilege of accounts often given to Exchange servers, means that these attacks could continue to impact organizations that don’t fully remediate after a compromise even after patches have been applied. While the observed ransomware attempts were small-scale or had corrects, there is still the possibility of more skillful groups utilizing credentials gained in these attacks for later attacks.

Attackers likewise use their access to perform extensive reconnaissance using built-in Exchange commandlets and dsquery to exfiltrate information about network configurations, customer information, and email assets.

While Lemon Duck operators might have had the boldest method for removing other attackers from information systems they compromised, they were not the only attacker to do so. Others were observed cleaning up. aspx and. bat files to remove other attackers, and even rebuilding the WMI database by delete. mof files and restarting the service. As the window on unpatched machines closes, attackers presented increased interest in maintaining the access to the systems they exploited. By apply “malwareless” perseverance mechanisms like enabling RDP, installing Shadow IT tools, and adding new local administrator accounts, the attackers are hoping to evade incident response attempts that might focus exclusively on web shells, AV scans, and patching.

Defending against exploits and post-compromise activities

Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates. Comprehensive mitigation guidance can be found here: https :// aka.ms/ ExchangeVulns.

As seen in the post-exploitation assaults discussed in this blog, the routes that attackers can take after successfully exploiting the vulnerabilities are varied and wide-ranging. If you have determined or have reason to suspect that these threats are present on your network, here are immediate steps you can take 😛 TAGEND

Investigate disclosed Exchange servers for compromise, irrespective of their current spot status. Look for web shells via our guidance and operate a full AV scan apply the Exchange On-Premises Mitigation Tool. Investigate Local Users and Groups, even non-administrative users for alters, and ensure all users require a password for sign-in. New user account initiations( represented by Event ID 4720) during the time the system was vulnerable might indicate a malicious consumer initiation. Reset and randomize local administrator passwords with a tool like LAPS if you are not already doing so. Appear for changes to the RDP, firewall, WMI subscriptions, and Windows Remote Management( WinRM) configuration of the system that might have been configured by the attacker to allow persistence. Appear for Event ID 1102 to determine if attackers cleared event logs, an activity that attackers perform with exe in an attempt to hide their trails. Appear for new perseverance mechanisms such as unexpected services, scheduled undertakings, and startup items. Appear for Shadow IT tools that attackers might have installed for persistence, such as non-Microsoft RDP and remote access patrons. Check mailbox-level email forwarding decideds( both ForwardingAddress and ForwardingSMTPAddress attributes ), check mailbox inbox regulations( which might be used to forward email externally ), and check Exchange Transport regulations that you are able to not recognize.

While our response tools check for and remove known web shells and assault tools, performs an full investigation of these systems is recommended. For comprehensive investigation and mitigation the guidelines and tools, find https :// aka.ms/ exchange-customer-guidance.

Additionally, here are best practices for house credential hygiene and practicing the principle of least privilege 😛 TAGEND

Follow guidance to run Exchange in least-privilege configuration: https :// adsecurity.org/? p= 4119. Ensure service accounts and scheduled undertakings run with the least privileges there is a requirement to. Avoid widely privileged groups like realm admins and backup operators and opt accounts with be made available to only the systems they need. Randomize local administrator passwords to prevent lateral motion with tools like LAPS. Ensure administrators practise good administration habits like Privileged Admin Workstations. Avoid privileged reports like realm admins from signing into member servers and workstations using Group Policy to limit credential exposure and lateral movement.

Appendix Microsoft Defender for Endpoint detection details

Antivirus

Microsoft Defender Antivirus sees exploitation behavior with these detectings 😛 TAGEND

Behavior: Win3 2/ Exmann Behavior: Win3 2/ IISExchgSpawnEMS Exploit: ASP/ CVE-2 021 -2 7065 Exploit:Script/Exmann Trojan: Win3 2/ IISExchgSpawnCMD Behavior: Win3 2/ IISExchgDropWebshell

Web shells are seen as 😛 TAGEND

Backdoor: JS/ Webshell Backdoor 😛 HP/ Chopper Backdoor:ASP/Chopper Backdoor: MSIL/ Chopper Trojan: JS/ Chopper Trojan:Win32/Chopper Behavior: Win3 2/ WebShellTerminal

Ransomware payloads and associated files are detected as 😛 TAGEND

Trojan: BAT/ Wenam– xx.bat behaviors Ransom: Win3 2/ DoejoCryptDoejoCrypt ransomware Trojan 😛 owerShell/ Redearps– PowerShell spreader in Pydomer strikes Ransom: Win6 4/ PydomerPydomer ransomware

Lemon Duck malware is detected as 😛 TAGEND

Trojan 😛 owerShell/ LemonDuck Trojan: Win3 2/ LemonDuck

Some of the credential stealing techniques highlighted in this report are detected as 😛 TAGEND

Behavior: Win3 2/ DumpLsass Behavior:Win32/RegistryExfil

Endpoint detection and response( EDR)

Alerts with the following titles in the security center can indicate threat activity on your network 😛 TAGEND

Suspicious Exchange UM process initiation Suspicious Exchange UM file creation Suspicious w3wp. exe activity in Exchange Possible exploitation of Exchange Server vulnerabilities Possible IIS web shell Possible web shell installing Web shells associated with Exchange Server vulnerabilities Network traffic are connected with Exchange Server exploitation

Alerts with the following names in the security center can indicate threat activity on your network specific to the DoejoCrypt and Pydomer ransomware campaign 😛 TAGEND

DoejoCrypt ransomware Pydomer ransomware Pydomer download site

Alerts with the following names in the security center can indicate threat activity on your network specific to the Lemon Duck botnet 😛 TAGEND

LemonDuck Malware LemonDuck botnet C2 domain activity

The following behavioral alerts might also indicate threat activity associated with this threat 😛 TAGEND

Possible web shell installation A suspicious web script was created Suspicious processes indicative of a web shell Suspicious file attribute alter Suspicious PowerShell command line Possible IIS Web Shell Process recollection dump A malicious PowerShell Cmdlet was invoked on the machine WDigest configuration change Sensitive information lookup Suspicious registry export

Advanced hunting

To locate possible exploitation activities in Microsoft Defender for Endpoint, run the following queries.

Processes run by the IIS worker process

Look for procedures executed by the IIS worker process

// Broadly search for processes executed by the IIS worker process. Further investigation should be performed on any devices where the made process is indicative of reconnaissance DeviceProcessEvents | where InitiatingProcessFileName == ‘w3wp. exe’ | where InitiatingProcessCommandLine contains “MSExchange” | where FileName! in~( “csc.exe”, “cvtres.exe”, “conhost.exe”, “OleConverter.exe”, “wermgr.exe”, “WerFault.exe”, “TranscodingService.exe”) | programme FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for PowerShell spawned from the IIS worker process, observed most frequently in Lemon Duck with Base6 4 encoding to obfuscate C2 domains

DeviceProcessEvents | where FileName =~ “powershell.exe” | where InitiatingProcessFileName =~ “w3wp. exe” | where InitiatingProcessCommandLine contains “MSExchange” | project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Tampering

Search for Lemon Duck tampering with Microsoft Defender Antivirus

DeviceProcessEvents | where InitiatingProcessCommandLine has_all( “Set-MpPreference”, “DisableRealtimeMonitoring”, “Add-MpPreference”, “ExclusionProcess”) | project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Batch script actions

Search for batch scripts performing credential steal, as complied with in DoejoCrypt infections

DeviceProcessEvents | where InitiatingProcessFileName == “cmd.exe” | where InitiatingProcessCommandLine has “.bat” and InitiatingProcessCommandLine has @”C :\ Windows \ Temp” | where ProcessCommandLine has “reg save” | programme ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Look for evidence of batch script execution that leads to credential dumping

// Search for batch script executing, leading to credential dump using rundll3 2 and the COM Service DLL, dsquery, and makecab utilize DeviceProcessEvents | where InitiatingProcessFileName =~ “cmd.exe” | where InitiatingProcessCommandLine has “.bat” and InitiatingProcessCommandLine has @” \ inetpub \ wwwroot \ aspnet_client ” | where InitiatingProcessParentFileName has “w3wp” | where FileName != “conhost.exe” | project FileName, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Suspicious files dropped under an aspnet_client folder

Look for fell suspicious files like web shells and other components

// Search for suspicious files, including but not limited to batch scripts and web shells, plummeted under the file path C :\ inetpub \ wwwroot \ aspnet_client \ DeviceFileEvents | where InitiatingProcessFileName == “w3wp. exe” | where FolderPath has ” \\ aspnet_client \” | where InitiatingProcessCommandLine contains “MSExchange” | programme FileName, FolderPath, InitiatingProcessCommandLine, DeviceId, Timestamp

Checking for persistence on systems that ought to have supposed as compromised

Search for initiations of new local accounts

DeviceProcessEvents | where FileName == “net.exe” | where ProcessCommandLine has_all( “user”, “add”) | project ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Search for installing events that were used to download ScreenConnect for perseverance

Note that this query may be noisy and is not necessarily indicative of malicious activity alone.

DeviceProcessEvents | where FileName =~ “msiexec.exe” | where ProcessCommandLine has @”C :\ Windows \ Temp ” | parse-where kind= regex flags= i ProcessCommandLine with @”C :\ \ Windows \\ Temp \” filename: string @”. msi” | programme filename, ProcessCommandLine, InitiatingProcessCommandLine, DeviceId, Timestamp

Hunting for credential steal

Search for logon events related to services and scheduled undertakings on machines that may be Exchange servers. The results of this query should be used to verify whether any of these users have privileged roles that might have enabled further persistence.

let devices= DeviceProcessEvents | where InitiatingProcessFileName == “w3wp. exe” and InitiatingProcessCommandLine contains “MSExchange” | distinct DeviceId; // DeviceLogonEvents | where DeviceId in( machines) | where LogonType in( “Batch”, “Service”) | programme AccountName, AccountDomain, LogonType, DeviceId, Timestamp

Search for WDigest registry key modification, which allows for the LSASS process to store plaintext passwords.

DeviceRegistryEvents | where RegistryValueName == “UseLogonCredential” | where RegistryKey has “WDigest” and RegistryValueData == “1” | programme PreviousRegistryValueData, RegistryValueData, RegistryKey, RegistryValueName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for the COM services DLL being executed by rundll3 2, which can be used to dump LSASS memory.

DeviceProcessEvents | where InitiatingProcessCommandLine has_all( “rundll3 2. exe”, “comsvcs.dll”) | project FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Search for Security Account Manager( SAM) or SECURITY databases being saved, from which credentials can later be extracted.

DeviceProcessEvents | where FileName == “reg.exe” | where ProcessCommandLine has “save” and ProcessCommandLine has_any( “hklm \\ security”, “hklm \\ sam”) | programme InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp

Indicators

Selected indicators from strikes are included here, security threats may utilize files and network indicators not represented here.

Files( SH-A2 56)

The following are file hashes for some of the web shells observed on assaults 😛 TAGEND

201 e4e9910dcdc8c4ffad84b60b328978db8848d265c0b9ba8473cf65dcd0c41 2f0bc81c2ea269643cae307239124d1b6479847867b1adfe9ae712a1d5ef135e 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1 65149 e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d 8e90ed33c7ee82c0b64078ea36ec95f7420ba435c693b3b3dd728b494abf7dfc a291305f181e24fe7194154b4cd355ccb039d5765709c80999e392efec69c90a b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0 dd29e8d47dde124c7d14e614e03ccaab3ecaa50e0a0bef985ed59e98928bc13d

DoejoCrypt associated hashes 😛 TAGEND

02711916 1d11ba87acc908a1d284b93a6bcafccc012e52ce390ecb9cd745bf27 10bce0ff6597f347c3cca8363b7c81a8bff52d2ff81245cd1e66a6e11aeb25da 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff 904fbea2cd68383f32c5bc630d2227601dc52f94790fe7a6a7b6d44bfd904ff3 bf53b637683f9cbf92b0dd6c97742787adfbc12497811d458177fdeeae9ec748 e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6 fdec9 33 ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65 feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede

Lemon Duck associated hashes 😛 TAGEND

0993 cc228a74381773a3bb0aa36a736f5c41075fa3201bdef4215a8704e582fc 3df23c003d62c35bd6da90df12826c1d3fdd94029bf52449ba3d89920110d5ec 4f0b9c0482595eee6d9ece0705867b2aae9e4ff68210f32b7425caca763723b9 56101ab0881a6a34513a949afb5a204cad06fd1034f37d6791f3ab31486ba56c 69 ce57932c3be3374e8843602df1c93e1af622fc53f3f1d9b0a75b66230a1e2e 737752588f32e4c1d8d20231d7ec553a1bd4a0a090b06b2a1835efa08f9707c4 893 ddf0de 722 f345b675fd1ade93ee1de6f1cad034004f9165a696a4a4758c3e 9cf63310788e97f6e08598309cbbf19960162123e344df017b066ca8fcbed719 9f2fe33b1c7230ec583d7f6ad3135abcc41b5330fa5b468b1c998380d20916cd a70931ebb1ce4f4e7d331141ad9eba8f16f98da1b079021eeba875aff4aeaa85 d8 b5eaae03098bead91ff620656b9cfc569e5ac1befd0f55aee4cdb39e832b09 db093418921aae00187ae5dc6ed141c83614e6a4ec33b7bd5262b7be0e9df2cd dc612f5c0b115b5a13bdb9e86f89c5bfe232e5eb76a07c3c0a6d949f80af89fd f517526fc57eb33edb832920b1678d52ad1c5cf9c707859551fe065727587501 f8d388f502403f63a95c9879c806e6799efff609001701eed409a8d33e55da2f fbeefca700f84373509fd729579ad7ea0dabdfe25848f44b2fbf61bf7f909df0

Pydomer associated hashes 😛 TAGEND

7e07b6addf2f0d26eb17f4a1be1cba11ca8779b0677cedc30dbebef77ccba382 866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc 910 fbfa8ef 4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db a387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287 b9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f c25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908

Network indicators

Domains abused by Lemon Duck 😛 TAGEND

down [.] sqlnetcat [.] com t[.]sqlnetcat[.]com t [.] netcatkit [.] com

Pydomer DGA network indicators 😛 TAGEND

uiiuui [.] com/ search /* yuuuuu43[.]com/vpn-service/* yuuuuu4 4 [.] com/ vpn-service /* yuuuuu46[.]com/search/*

The post Analyzing attempts taking advantage of the Exchange Server vulnerabilities showed first on Microsoft Security .

Read more: microsoft.com