Sure, here's an expanded checklist for Microsoft Exchange used in the CyberSecurity field. I'll provide detailed steps and considerations for each item:
- Step 1: Review the current patch level against the latest cumulative updates and security patches provided by Microsoft.
- Resources: Microsoft’s official security update guide, Microsoft Update Catalog.
- Tools: PowerShell script for querying installed updates (
Get-HotFix
), or third-party vulnerability management tools like Nessus or Qualys.
- Step 2: Identify missing patches and prioritize based on criticality.
- Considerations: Review CVEs associated with the missing patches and assess the risk they pose to your environment.
- Step 3: Plan and schedule patching.
- Considerations: Ensure to have a rollback plan, test patches in a staging environment before applying them to production.
- Step 1: Enumerate all scheduled tasks on the Exchange server.
- Tools:
Get-ScheduledTask
PowerShell cmdlet.
- Tools:
- Step 2: Review the purpose of each scheduled task and ensure they are legitimate.
- Considerations: Look for tasks that run with elevated privileges or are set to run scripts and executables.
- Step 3: Investigate and disable any suspicious or unnecessary tasks.
- Considerations: Cross-reference with known good configurations and typical attack vectors (e.g., tasks created by malware).
- Step 1: Determine the local domain name.
- Tools:
nltest /dclist:
,Get-ADDomain
PowerShell cmdlet.
- Tools:
- Considerations: Verify against documented network architecture and configurations.
- Step 1: Identify the current version of Microsoft Exchange.
- Tools:
Get-ExchangeServer
PowerShell cmdlet,Get-MailboxServer
for mailbox role versions.
- Tools:
- Considerations: Verify the version against the list of supported versions and known vulnerabilities.
- Step 1: Use MailSniper to enumerate valid email addresses and other information.
- Tools: MailSniper (
Invoke-MailSniper
).
- Tools: MailSniper (
- Considerations: Use in a controlled environment to avoid detection by IDS/IPS systems.
- Step 1: Perform a password spray attack.
- Tools: MailSniper, Hydra, or custom scripts.
- Considerations: Monitor account lockouts and throttle the attack to avoid detection. Use common passwords and avoid targeting admin accounts first.
- Step 1: Use a Python script to perform NTLM password spray attacks.
- Tools: Custom Python scripts,
ntlmrelayx
.
- Tools: Custom Python scripts,
- Considerations: Ensure you have permission to perform such tests and avoid disrupting legitimate access.
- Step 1: Use the
exchanger.py
script from the Impacket toolkit to query the GAL.- Tools: Impacket toolkit.
- Considerations: Ensure compliance with usage policies and monitor for any abnormal activity triggered by the script.
- Step 1: Use the Ruler tool to interact with the Exchange server.
- Tools: Ruler (
ruler --domain example.com --user user@example.com --password pass
).
- Tools: Ruler (
- Considerations: Test in a non-production environment first to understand its impact.
- Step 1: Use
ewsManage.py
to manage and interact with Exchange Web Services (EWS).- Tools: EWSManage script from GitHub.
- Considerations: Be cautious of the data retrieved and ensure it is stored securely.
- Step 1: Check for indicators of compromise (IOCs) related to ProxyLogon vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065).
- Tools: Microsoft’s ProxyLogon script, third-party detection tools.
- Considerations: Ensure patches are applied and check for web shells or other malicious artifacts.
- Step 1: Assess for ProxyShell vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207).
- Tools: Microsoft’s guidance, PowerShell scripts to check for vulnerable configurations.
- Considerations: Apply necessary patches and review firewall and access controls.
- Step 1: Search for web shells on the Exchange server.
- Tools: File integrity monitoring tools, manual inspection of web directories (
C:\inetpub\wwwroot
).
- Tools: File integrity monitoring tools, manual inspection of web directories (
- Considerations: Regularly scan and monitor for unusual file changes. Investigate and remove any found web shells.
- Monitoring and Logging: Ensure robust logging is enabled for Exchange-related activities and regularly review logs for suspicious activities.
- Backup and Recovery: Verify that backups are working correctly and perform regular restore tests.
- Security Hardening: Follow best practices for Exchange hardening, such as disabling unnecessary services, applying the principle of least privilege, and securing access controls.
cve-2021-31206
cve-2021-31207
cve-2021-34473
cve-2021-34523
cve-2021-26855
cve-2021-26857