Skip to content

Latest commit

 

History

History
96 lines (77 loc) · 5.3 KB

MicrosoftExchange.md

File metadata and controls

96 lines (77 loc) · 5.3 KB
Raw

Sure, here's an expanded checklist for Microsoft Exchange used in the CyberSecurity field. I'll provide detailed steps and considerations for each item:

Microsoft Exchange CyberSecurity Checklist

1. Check to see if any patches have been missed

  • Step 1: Review the current patch level against the latest cumulative updates and security patches provided by Microsoft.
    • Resources: Microsoft’s official security update guide, Microsoft Update Catalog.
    • Tools: PowerShell script for querying installed updates (Get-HotFix), or third-party vulnerability management tools like Nessus or Qualys.
  • Step 2: Identify missing patches and prioritize based on criticality.
    • Considerations: Review CVEs associated with the missing patches and assess the risk they pose to your environment.
  • Step 3: Plan and schedule patching.
    • Considerations: Ensure to have a rollback plan, test patches in a staging environment before applying them to production.

2. Check scheduled tasks

  • Step 1: Enumerate all scheduled tasks on the Exchange server.
    • Tools: Get-ScheduledTask PowerShell cmdlet.
  • Step 2: Review the purpose of each scheduled task and ensure they are legitimate.
    • Considerations: Look for tasks that run with elevated privileges or are set to run scripts and executables.
  • Step 3: Investigate and disable any suspicious or unnecessary tasks.
    • Considerations: Cross-reference with known good configurations and typical attack vectors (e.g., tasks created by malware).

Perform Recon

Local domain name

  • Step 1: Determine the local domain name.
    • Tools: nltest /dclist:, Get-ADDomain PowerShell cmdlet.
  • Considerations: Verify against documented network architecture and configurations.

Check the version

  • Step 1: Identify the current version of Microsoft Exchange.
    • Tools: Get-ExchangeServer PowerShell cmdlet, Get-MailboxServer for mailbox role versions.
  • Considerations: Verify the version against the list of supported versions and known vulnerabilities.

Brute Force Attacks

Use MailSniper Enum

  • Step 1: Use MailSniper to enumerate valid email addresses and other information.
    • Tools: MailSniper (Invoke-MailSniper).
  • Considerations: Use in a controlled environment to avoid detection by IDS/IPS systems.

Password Spray

  • Step 1: Perform a password spray attack.
    • Tools: MailSniper, Hydra, or custom scripts.
  • Considerations: Monitor account lockouts and throttle the attack to avoid detection. Use common passwords and avoid targeting admin accounts first.

Python NTLM password spray

  • Step 1: Use a Python script to perform NTLM password spray attacks.
    • Tools: Custom Python scripts, ntlmrelayx.
  • Considerations: Ensure you have permission to perform such tests and avoid disrupting legitimate access.

Look at the GAL (Global Address List)

Use exchanger.py impacket

  • Step 1: Use the exchanger.py script from the Impacket toolkit to query the GAL.
    • Tools: Impacket toolkit.
  • Considerations: Ensure compliance with usage policies and monitor for any abnormal activity triggered by the script.

Use ruler

  • Step 1: Use the Ruler tool to interact with the Exchange server.
    • Tools: Ruler (ruler --domain example.com --user user@example.com --password pass).
  • Considerations: Test in a non-production environment first to understand its impact.

Use ewsManage.py

  • Step 1: Use ewsManage.py to manage and interact with Exchange Web Services (EWS).
    • Tools: EWSManage script from GitHub.
  • Considerations: Be cautious of the data retrieved and ensure it is stored securely.

ProxyLogon

  • Step 1: Check for indicators of compromise (IOCs) related to ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
    • Tools: Microsoft’s ProxyLogon script, third-party detection tools.
  • Considerations: Ensure patches are applied and check for web shells or other malicious artifacts.

ProxyShell

  • Step 1: Assess for ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
    • Tools: Microsoft’s guidance, PowerShell scripts to check for vulnerable configurations.
  • Considerations: Apply necessary patches and review firewall and access controls.

Webshell

  • Step 1: Search for web shells on the Exchange server.
    • Tools: File integrity monitoring tools, manual inspection of web directories (C:\inetpub\wwwroot).
  • Considerations: Regularly scan and monitor for unusual file changes. Investigate and remove any found web shells.

Additional Considerations

  • Monitoring and Logging: Ensure robust logging is enabled for Exchange-related activities and regularly review logs for suspicious activities.
  • Backup and Recovery: Verify that backups are working correctly and perform regular restore tests.
  • Security Hardening: Follow best practices for Exchange hardening, such as disabling unnecessary services, applying the principle of least privilege, and securing access controls.

List of most famous CVE's for MS Exchange

cve-2021-31206
cve-2021-31207
cve-2021-34473
cve-2021-34523
cve-2021-26855
cve-2021-26857