These logs are located in the following directory:
"%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy"
Exploitation can be identified by searching for log entries where the AuthenticatedUser is empty and the AnchorMailbox contains the pattern of "ServerInfo~*/*"
Here is an example PowerShell command to find these log entries:
Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq " -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox
If activity is detected, the logs specific to the application specified in the AnchorMailbox path can be used to help determine what actions were taken.
These logs are located in the "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging" directory.
These logs are located in the following directory:
"C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog"
Files should only be downloaded to the "%PROGRAMFILES%\Microsoft\Exchange Server\V15\ClientAccess\OAB\Temp" directory and in case of exploitation, files are downloaded to other directories (UNC or local paths)
Windows command to search for potential exploitation:
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog*.log"
The exploitation of this deserialization bug will create Application events with the following properties:
- Source: MSExchange Unified Messaging
- EntryType: Error
- Event Message Contains: System.InvalidCastException
Below is a PowerShell command to query the Application Event Log for these log entries:
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" }
These logs are located in the following directory:
"C:\Program Files\Microsoft\Exchange Server\V15\Logging\ECP\Server"
All Set-<AppName>VirtualDirectory properties should never contain script and InternalUrl and ExternalUrl should only be valid Uris.
Following is a PowerShell command to search for potential exploitation:
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server*.log" -Pattern 'Set-.+VirtualDirectory'