Microsoft has updated their Microsoft Safety Scanner (MSERT) tool so that it detects Web Shells installed on your Exchange servers through the ProxyLogon vulnerability.

Last week Microsoft issued emergency patches to address four zero-day exploits that were being exploited by the Hafnium group.  Since the disclosures, criminal groups have been targeting Microsoft Exchange Servers around the world and racing to install their own web shells and infiltrate corporate networks before patches are applied to the Exchange servers.

The four vulnerabilities, collectively known as ProxyLogon, are a pre-authentication remote code execution vulnerability for Outlook Web Access (OWA) that affects all supported version of Microsoft Exchange Server.

By installing a Web Shell, attackers establish persistent access to the server (that will still work after the security patches have been applied) allowing future data exfiltration or ransomware attacks.

If you have Outlook Web Access deployed on your Exchange server, it is prudent to work on the assumption that it has been compromised until you can prove it has not been infiltrated – and run a full backup asap as your only defence against ransomware in the short term.

Microsoft’s Support Emergency Response Tool (MSCERT) – also known as the Safety Scanner – is a standalone tool that uses the Microsoft Defender signatures to run on-demand security scans of servers and personal computers. MSCERT has now been updated to detect known Web Shells being used in ProxyLogon attacks by Hafnium and other criminal groups.

MSCERT should be run as a Full System Scan, advises Microsoft, and it will delete any suspect files immediately unless you run it with the /N option.

There is also a PowerShell script released by Microsoft on GitHub that searches for Indicators of Compromise (IoC) called Test-ProxyLogon.