Hallo,
wie wertet man Ergebnisse aus diesem Test-ProxyLogon Script bzg. eines HAFNIUM Angriffs aus?
ProxyLogon Status: Exchange Server MAIL-CONTOSO
Log age days: Oabgen -204,0 Ecp -234,5 Autod -204,0 Eas -204,0 EcpProxy -204,0 Ews -204,0 Mapi -204,0 Oab -204,0 Owa -
204,0 OwaCal -204,0 Powershell -204,0 RpcHttp -204,0
Report exported to: C:\Users\administrator.contoso\Desktop\Test-ProxyLogonLogs\MAIL-CONTOSO-LogAgeDays.csv
[CVE-2021-26855] Suspicious activity found in Http Proxy log!
Report exported to: C:\Users\administrator.CONTOSO\Desktop\Test-ProxyLogonLogs\MAIL-CONTOSO-Cve-2021-26855.csv
Other suspicious files found: 37
Report exported to: C:\Users\administrator.CONTOSO\Desktop\Test-ProxyLogonLogs\MAIL-CONTOSO-other.csv
Wurde die Sicherheitslücke CVE-2021-26855 schon ausgenutzt? Oder können es auch nur Angriffsversuche sein?
MAIL-CONTOSO-Cve-2021-26855
#TYPE Selected.System.Management.Automation.PSCustomObject"DateTime","RequestId","ClientIpAddress","UrlHost","UrlStem","RoutingHint","UserAgent","AnchorMailbox","HttpStatus""2021-03-03T07:39:35.462Z","ada06ff2-b086-40c6-a822-fdf2f81ab3a0","86.105.18.116","XXX.XXX.XXX.XXX","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-03T11:11:25.805Z","817af99f-9b83-4e7b-921d-e1b9a95e7f9d","86.105.18.116","XXX.XXX.XXX.XXX","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-03T15:23:59.081Z","56326087-b648-43e9-b71e-2092f2b74c7a","182.18.152.105","XXX.XXX.XXX.XXX","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:26.723Z","f4cbde07-a6f0-4f01-9aae-a8b5f5372e04","210.91.184.216","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:30.112Z","cebf0739-c792-456d-9243-f6ee3cdaed5e","210.205.231.232","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:33.980Z","d7dbd637-c510-415a-9534-3c5541895af3","42.151.105.181","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:37.428Z","c92d71ce-7874-4474-9729-d0b872b3779e","14.245.75.119","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:40.857Z","5465f3e9-55d7-4b4d-bb57-69769a0c6b67","180.66.215.223","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:44.507Z","34a1a4f7-8e42-4b99-a3bc-d125bc3f36e6","1.236.112.189","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:49.231Z","c8e01a1e-e88b-44a8-87ee-93f2dba07c58","190.95.77.16","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:53.912Z","2b1aacd9-f468-4bbf-953b-5f4c21cab4cb","188.247.67.170","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:42:58.555Z","8ad6a336-935f-4f06-b030-fc8971758447","61.64.84.161","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:43:02.600Z","0185a9e8-8a41-438d-9bd1-8e8ff429087d","138.97.130.237","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:43:07.797Z","af1c98ec-a273-480b-b484-54fe21fe0a57","186.6.251.102","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:43:12.372Z","f38f298a-2921-4f9d-91f3-2f4499e8929d","117.221.225.135","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-05T19:43:14.830Z","a4f47a75-113a-4401-98e5-585c5839f7ac","46.118.55.181","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:18.362Z","009b70aa-11b0-4f4e-ab5b-c2482d886453","116.124.119.65","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:21.653Z","ecd358b1-8936-4552-a47d-bc70a1980f79","92.101.162.223","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:26.497Z","14b3fe8d-f594-4338-80c6-518d9bed4611","218.250.97.107","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:33.724Z","b7bf44a0-bf75-4d67-9e43-768236f3ab27","114.30.167.106","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:37.185Z","32ffe416-793f-4bac-b1da-4d8cf2be2522","112.169.159.60","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:42.085Z","d355bbbb-a5f9-482c-81c0-6638d765a7df","213.112.125.55","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:44.535Z","63aebe7b-14d5-4749-9902-4bbafd58f80e","35.135.236.173","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-05T19:43:49.298Z","d5cd3b2e-b755-4ea7-abba-b470ca923fe0","177.87.40.62","XXX.XXX.XXX.XXX","/ecp/program.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO/autodiscover/autodiscover.xml#","401""2021-03-06T17:12:56.431Z","21033199-faa8-46ad-86f8-a16372d1f9d5","141.164.40.193","XXX.XXX.XXX.XXX","/ecp/x.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~akak]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-06T21:51:42.602Z","c10b976e-ebde-42e2-8bb6-24f41aa855a5","172.105.87.139","XXX.XXX.XXX.XXX","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-06T21:51:42.648Z","7e9c69b8-cea1-46bc-a849-cfb9df5f3746","172.105.87.139","XXX.XXX.XXX.XXX","/ecp/y.js","X-BEResource-Cookie","ExchangeServicesClient/0.0.0.0","ServerInfo~a]@MAIL-CONTOSO.CONTOSO.local:444/autodiscover/autodiscover.xml?#","200""2021-03-07T00:58:02.968Z","0a96d1e5-4ba6-4a9b-90e1-1ddcbdaf67b0","104.225.219.16","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-07T01:06:08.437Z","9d394dcb-cb18-4dc9-b317-6abbc796c912","159.89.95.163","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 zgrab/0.x","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-07T14:43:44.184Z","384126fa-9fc8-4e2a-875a-cbb26d09341e","5.189.162.164","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML like Gecko) Chrome/69.0.3497.81 Safari/537.36","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-07T19:49:53.919Z","51ab819e-801a-4214-9ccf-ab6dbbd4ff5e","104.225.219.16","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-08T02:20:30.211Z","9e695271-e8e0-4edd-9102-814e680e5730","5.189.181.43","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML like Gecko) Chrome/69.0.3497.81 Safari/537.36","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-08T09:18:48.692Z","11ca37a4-81ad-4ff4-9d41-6aef80fa21e6","128.90.21.223","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/41.0.2228.0 Safari/537.36","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-08T12:09:47.646Z","feb5c64e-45f6-4795-9ef9-5cf8f5bd92a9","128.90.21.223","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-08T13:33:44.513Z","89bc0c34-60e5-4a2b-8242-fbef8044cf16","35.198.94.7","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-09T00:06:36.137Z","95a73f87-a9da-4b1f-a06d-d39f638edba3","71.6.135.131","localhost","/ecp/default.flt","X-BEResource-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0","ServerInfo~localhost/owa/auth/logon.aspx?","500""2021-03-07T00:58:02.971Z","0a96d1e5-4ba6-4a9b-90e1-1ddcbdaf67b0","104.225.219.16","mail.contoso.de","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","ServerInfo~localhost/ecp/default.flt?","500""2021-03-07T01:06:08.438Z","9d394dcb-cb18-4dc9-b317-6abbc796c912","159.89.95.163","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 zgrab/0.x","ServerInfo~localhost/ecp/default.flt?","500""2021-03-07T08:51:38.796Z","147b39f5-2013-4bf4-baad-abfa6eb2edf5","198.46.233.13","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.108 Safari/537.36","ServerInfo~burpcollaborator.net/ecp/default.flt?","200""2021-03-07T14:43:44.185Z","384126fa-9fc8-4e2a-875a-cbb26d09341e","5.189.162.164","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML like Gecko) Chrome/69.0.3497.81 Safari/537.36","ServerInfo~localhost/ecp/default.flt?","500""2021-03-07T16:52:31.396Z","4a8fa7c9-5c04-477b-aba5-436f66495cd2","185.173.235.54","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.108 Safari/537.36","ServerInfo~burpcollaborator.net/ecp/default.flt?","200""2021-03-07T19:49:53.920Z","51ab819e-801a-4214-9ccf-ab6dbbd4ff5e","104.225.219.16","mail.contoso.de","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)","ServerInfo~localhost/ecp/default.flt?","500""2021-03-08T02:20:30.213Z","9e695271-e8e0-4edd-9102-814e680e5730","5.189.181.43","mail.contoso.de","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML like Gecko) Chrome/69.0.3497.81 Safari/537.36","ServerInfo~localhost/ecp/default.flt?","500""2021-03-08T09:18:48.693Z","11ca37a4-81ad-4ff4-9d41-6aef80fa21e6","128.90.21.223","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML like Gecko) Chrome/41.0.2228.0 Safari/537.36","ServerInfo~localhost/ecp/default.flt?","500""2021-03-08T12:09:47.648Z","feb5c64e-45f6-4795-9ef9-5cf8f5bd92a9","128.90.21.223","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1; SV1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04506.30)","ServerInfo~localhost/ecp/default.flt?","500""2021-03-08T13:33:44.514Z","89bc0c34-60e5-4a2b-8242-fbef8044cf16","35.198.94.7","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/88.0.4324.182 Safari/537.36 Edg/88.0.705.81","ServerInfo~localhost/ecp/default.flt?","500""2021-03-09T00:06:36.137Z","95a73f87-a9da-4b1f-a06d-d39f638edba3","71.6.135.131","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0","ServerInfo~localhost/ecp/default.flt?","500""2021-03-09T00:44:02.715Z","48deb27c-8221-4f7f-a71f-039c96821fe3","193.160.32.138","XXX.XXX.XXX.XXX","/owa/auth/x.js","X-AnonResource-Backend-Cookie","Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/74.0.3729.108 Safari/537.36","ServerInfo~burpcollaborator.net/ecp/default.flt?","200"
Gruß
SirNibo