A Technical Deep Dive: Investigating Exchange Exploits and Lateral Movement in Splunk

Introduction

I recently conducted a thorough study of a sophisticated assault campaign targeting Microsoft Exchange servers in our environment as a security expert. This article details my technical methodology, conclusions, and takeaways from this crucial security incident response engagement.

An overview of the project
After identifying and evaluating ProxyShell attacks against our Exchange servers, the investigation focused on lateral movement efforts throughout our network. I was able to locate, stop, and offer suggestions for fixing this attack campaign by using Splunk Enterprise Security supplemented with custom detections.

*Technical Environment: *

• The central SIEM platform is Splunk Enterprise Security.
• Event forwarding in Windows: centralized log gathering
• Sysmon: Improved visibility of endpoints
• The main goal is Microsoft Exchange Server 2019.
• Active Directory Domain Services: Infrastructure for authentication

Step 1: **
**Initial Detection and Triage
I started looking at it after noticing strange PowerShell activity coming from our Exchange server:

Two of the three ProxyShell exploit attempts found by this query were successful in creating web shells on our Exchange server. After the initial compromise, the mean time to detect (MTTD) was 37 minutes.

Step 2: **
**Attack Reconstruction
Using Splunk's timeline features, I reconstructed the attack flow:

Evidence of Stage Techniques

• First Access ProxyShell uses suspicious Autodiscover queries to exploit HTTP 500 logs.
• Implementation IIS logs for Web Shell Deployment indicate that an ASPX file was uploaded to /owa/auth/Persistence. Creation of Scheduled Tasks Event ID 4698 displays the registration of a malicious job.
• RDP Attempts for Lateral Movement Event ID 4625 with unsuccessful Exchange server privilege escalation login attempts, LSASS Sysmon Event ID 10 being dumped with questionable process access

Step 3: **
**Enhanced Detection Engineering
I put in place unique Sysmon setups targeted against credential dumping actions to enhance our detection capabilities:

To identify lateral movement, I additionally developed customized Splunk queries:

Step 4:
Forensic Artifact Collection

I gathered and examined several forensic artifacts:

- Windows Security Logs: *Authentication events (Event ID 4624/4625) were the primary focus.
*- Sysmon Process Creation: *Determined the links between parent and child processes
*- Unusual network connections on port 3389 (RDP) were examined using netflow data.
- IIS Logs: Analyzed file uploads and web shell activity

Step 5: **
**MITRE ATT&CK Mapping
I used the MITRE ATT&CK methodology to map the activities I saw:

This visualization helped communicate the technical findings to both security teams and management.

Step 6: **
**Compliance Impact Assessment
I evaluated the compliance consequences as part of the inquiry:

** NIST 800-53 Regulations**

• SI-4 (Monitoring): ✅ Compliant: Sufficient monitoring was given by SPL queries.
• Partially, credential events suggested possible problems in IA-2 (Identification/Authentication).

The HIPAA Security Regulation

• Implementation of §164.308(a)(5)(ii)(B): Login monitoring
• Verified audit controls under §164.312(b)

Step 7: **
**Remediation and Hardening

Based on what I discovered, I took prompt corrective action:

** Instant (24-hour):**

• Update 23 for Applied Exchange Cumulative
• deactivated older authentication methods
• Reset all service account information.

Short-Term (1 Week):

• Just-In-Time (JIT) access was implemented for RDP.
• Network segmentation for Exchange servers was implemented.
• Better logging for important authentication occasions

One-month long-term:

• performed purple team drills.
• A unique Splunk ML toolbox for anomaly detection was created.
• implemented Group Policy for LSA protection: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -Value 1

Step 8: **
**Detection Improvements
To increase detection accuracy and decrease false positives, I implemented the following measures. Baseline Normal RDP Activity:

• 40 percent fewer false positives were produced using signal clustering algorithms.
• Prioritizing notifications according to their possible impact is known as tiered alert severity scoring.

Key Takeaways I Got From This Experience

• Why Layered Logging Is Important. Evidence of absence is not the same as the lack of evidence. In-depth multi-layer logging provided the necessary visibility to identify this assault.
• Baseline Establishment: The investigation proceeded much more quickly when baselines for typical activities were established.
• Cross-Team Cooperation: For quick containment, the SOC, network, and system management teams needed to communicate effectively.
• Automation Opportunities: To respond to accidents more quickly in the future, several manual investigation stages could be automated.

In conclusion
The significance of thorough logging, strong detection engineering, and cross-functional cooperation in cybersecurity incident response was brought to Light by this research into Exchange Server attacks and lateral movement. I plan to advance the security community's understanding and help those dealing with similar issues by recording and disseminating this procedure.

Our mean time to respond (MTTR) was lowered to one hour and twelve minutes thanks to the technical method outlined here, which also produced practical intelligence to stop future assaults of this nature.

Comments

[Jessica Brown]

Fantastic deep dive! The only shells I want near Exchange are taco shells, not web shells—your Splunk + Sysmon combo seasoned those ProxyShell gremlins nicely. Also love the ATT&CK mapping: finally a chart that makes both management and my SIEM happy.

[Samuel Adeduntan]

Many thanks to you Jessica