Hunting queries for Exchange activity

Hunting queries to detect ProxyLogon and other web exploitation activity.
2021-03-22 12:36:26 +00:00 · 2021-03-22 12:36:26 +00:00 · 729bdc58fb
--- a/Queries/MultipleDataSources/ExchangeServerSuspiciousURIsVisited.yaml
+++ b/Queries/MultipleDataSources/ExchangeServerSuspiciousURIsVisited.yaml
@ -0,0 +1,44 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Server Suspicious URIs Visited
+description: |
+  'This query will detect paths suspicious associated with ProxyLogon exploitation, it will then calculate the percentage of suspicious URIs
+  the user had visited in relation to the total number of URIs the user has visited. This query will assist in the detection of automated
+  ProxyLogon exploitation.'
+requiredDataConnectors: []
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+let timeRange = 7d;
+//Calculate number of suspicious URI stems visited by user
+W3CIISLog
+| where TimeGenerated > ago(timeRange) 
+| where not(ipv4_is_private(cIP))
+| where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)") or (csUriStem =~ "/ews/exchange.asmx")
+| extend userHash = hash_md5(strcat(cIP, csUserAgent))
+| summarize susCount=dcount(csUriStem), make_list(csUriStem), min(TimeGenerated), max(TimeGenerated) by userHash, cIP, csUserAgent
+| join kind=leftouter  (
+	//Calculate unique URI stems visited by each user
+	W3CIISLog
+	| where TimeGenerated > ago(timeRange)
+	| where not(ipv4_is_private(cIP))
+	| extend userHash = hash_md5(strcat(cIP, csUserAgent))
+	| summarize allCount=dcount(csUriStem) by userHash
+) on userHash
+//Find instances where only a common endpoint was seen
+| extend containsDefault = iff(list_csUriStem contains "/ews/exchange.asmx", 1, 0)
+//If we only see the common endpoint and nothing else dump it
+| extend result = iff(containsDefault == 1, containsDefault+susCount, 0)
+| where result != 2
+| extend susPercentage = susCount / allCount * 100
+| where susPercentage > 90
+| project StartTime=min_TimeGenerated, EndTime=max_TimeGenerated, AttackerIP=cIP, AttackerUA=csUserAgent, URIsVisited=list_csUriStem, suspiciousPercentage=susPercentage, allUriCount=allCount, suspiciousUriCount=susCount
+entityMappings:
+- entityType: NetworkConnection
+  fieldMappings:
+    - identifier: SourceAddress
+      columnName: AttackerIP
--- a/Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml
+++ b/Queries/MultipleDataSources/ExchangeServersAssociatedSecurityAlerts.yaml
@ -0,0 +1,31 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Servers and Associated Security Alerts
+description: |
+  'This query will dynamically identify Exchnage servers using common web paths used by the application in the csUriStem. The query
+  will then collect MDE alerts from the SecurityAlert table using the identified Exchange Server hostnames.'
+requiredDataConnectors: []
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+  W3CIISLog
+  | where csUriStem has_any("/owa/auth/", "/ecp/healthcheck.htm", "/ews/exchange.asmx")
+  | summarize by computer=tolower(Computer)
+  | join kind=leftouter (
+    SecurityAlert
+    | extend alertData = parse_json(Entities)
+    | mvexpand alertData
+    | where alertData.Type == "host"
+    | extend computer = iff(isnotempty(alertData.DnsDomain), tolower(strcat(tostring(alertData.HostName), "." , tostring(alertData.DnsDomain))),tolower(tostring(alertData.HostName)))
+    | summarize Alerts=dcount(SystemAlertId), AlertTimes=make_list(TimeGenerated), AlertNames=make_list(AlertName) by computer
+  ) on computer
+  | project ExchangeServer=computer, Alerts, AlertTimes, AlertNames
+entityMappings:
+- entityType: Host
+  fieldMappings:
+    - identifier: HostName
+      columnName: ExchangeServer
--- a/Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml
+++ b/Queries/W3CIISLog/ExchangeServerProxyLogonURI.yaml
@ -0,0 +1,27 @@
+id: 43701f18-c903-489e-8cc9-a2e85dc3ad23
+name: Exchange Server ProxyLogon URIs
+description: |
+  'This query will detect paths suspicious associated with ProxyLogon exploitation'
+requiredDataConnectors: []
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+tags:
+  - Exchange
+query: |
+
+  W3CIISLog
+  | where TimeGenerated > ago(3d)
+  | where not(ipv4_is_private(cIP))
+  | where (csUriStem matches regex @"\/owa\/auth\/[A-Za-z0-9]{1,30}\.js") or (csUriStem matches regex @"\/ecp\/[A-Za-z0-9]{1,30}\.(js|flt|css)")
+  | project TimeGenerated, sSiteName, csMethod, csUriStem, sPort, sIP, cIP, csUserAgent
+entityMappings:
+- entityType: NetworkConnection
+  fieldMappings:
+    - identifier: DestinationAddress
+      columnName: sIP
+    - identifier: DestinationPort
+      columnName: sPort
+    - identifier: SourceAddress
+      columnName: cIP