Staff

Technical Tip: How to use FortiAnalyzer to detect indicators attributed to Microsoft's ProxyShell vulnerabilities

Forum|Forum|4 years ago
August 23, 2021
0 replies
747 views

Description

This article describes how to use a custom Event Handler and Report in FortiAnalyzer to detect indicators attributed to ProxyShell. ProxyShell is an exploit attack chain involving three Microsoft exchange vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. Theses can be exploited on vulnerable Microsoft Exchange servers.

For more information on the threat, also see the FortiGuard Lab Threat Signal Report:

Vulnerable Microsoft Exchange Servers Actively Scanned for ProxyShell

Coverage of the vulnerabilities can be found in latest IPS and Endpoint Vulnerability signatures:

MS.Exchange.Server.CVE-2021-34473.Remote.Code.Execution

Microsoft Exchange Server Security Feature Bypass Vulnerability

Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Elevation of Privilege Vulnerability

Information on FortiAnalyzer's Event Handler and Report is coming soon.