Microsoft’s MSERT Tool Can Now Detect Exchange Server Indicators of Compromise
Microsoft has updated its MSERT security scanning tool that enables it to detect web shell scripts used in the recent Exchange Server attacks.
Windows Defender has also been updated to detect the web shells. The Microsoft Safety Scanner, (https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download), also called MSERT, can be used to detect and will automatically remove the implanted web shells unless you start it with the /N argument. Note MSERT is not a real-time defense tool and only performs spot checks. Select the full scan option, which can take a while. Microsoft also released a PowerShell script “Test-ProxyLogin.ps1” to search for IOCs in Exchange and OWA log files, see GitHub CSS-Exchange link below.
Given the nature of these vulnerabilities and the widespread exploitation of them, if your company has not yet applied the patches then assume you have been breached and respond accordingly. Applying the patches will fix the vulnerability but will not address any compromise or additional backdoors attackers may have planted before the patches were applied.