My Steps of Reproducing ProxyShell
Tags
attack-pattern: Data Exploits - T1587.004 Exploits - T1588.005 Powershell - T1059.001 Python - T1059.006 Server - T1583.004 Server - T1584.004 Web Service - T1481 Connection Proxy - T1090 Powershell - T1086 Web Service - T1102
Show in Graph
Common Information
Type Value
UUID aaadcbc3-63ec-428d-a1f9-0679e2fc6715
Fingerprint b78811d3ab0da29d
Analysis status DONE
Considered CTI value 0
Text language
Published Aug. 12, 2021, 10:46 a.m.
Added to db Jan. 19, 2023, 12:04 a.m.
Last updated Nov. 17, 2024, 6:49 p.m.
Headline My Steps of Reproducing ProxyShell
Title My Steps of Reproducing ProxyShell
Detected Hints/Tags/Attributes 48/1/27
Source URLs
Redirection Url
Details Source https://y4y.space/2021/08/12/my-steps-of-reproducing-proxyshell/
URL Provider
Details Provider Source level domain
Details y4y.space y4y.space
Attributes
Details Type #Events CTI Value
Details Domain 2 
microsoft.exchange.security
Details Domain 3 
self.rfile.read
Details Domain 73 
schemas.microsoft.com
Details Domain 47 
microsoft.exchange
Details Domain 98 
requests.post
Details Domain 150 
www.w3.org
Details Domain 32 
schemas.xmlsoap.org
Details Domain 1 
peterjson.medium.com
Details Domain 1 
www.bloggingforlogging.com
Details File 1 
authorization.dll
Details File 7 
autodiscover.xml
Details File 31 
schemas.xml
Details File 1 
fileattachment.txt
Details File 1 
us-21-proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server.pdf
Details IPv4 1441 
127.0.0.1
Details Url 1 
https://exchange/autodiscover/autodiscover.xml
Details Url 1 
http://127.0.0.1:80/powershell
Details Url 1 
http://schemas.microsoft.com/powershell/microsoft.exchange
Details Url 50 
http://www.w3.org/2001/xmlschema-instance
Details Url 3 
http://schemas.microsoft.com/exchange/services/2006/messages
Details Url 2 
http://schemas.microsoft.com/exchange/services/2006/types
Details Url 24 
http://schemas.xmlsoap.org/soap/envelope
Details Url 1 
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-pst/5faf4800-645d-49d1-9457-2ac40eb467bd
Details Url 1 
https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
Details Url 1 
https://i.blackhat.com/usa21/wednesday-handouts/us-21-proxylogon-is-just-the-tip-of-the-iceberg-a-new-attack-surface-on-microsoft-exchange-server.pdf
Details Url 1 
https://www.bloggingforlogging.com/2018/08/14/powershell-remoting-on-python
Details Url 1 
https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/how-to-add-attachments-by-using-ews-in-exchange