⬆ = trending up from previous month
⬇= trending down from previous month
➡ = no change in rank from previous month
*Denotes a tie
Observations on trending threats
Here at Red Canary, we saw our customers doing a lot of testing in December. In September 2022, we started removing customer-reported testing from our top 10 trending threat lists to help reduce error and white noise. However, some testing is not explicitly marked as such by our customers, so it does not get removed from the trending threat numbers. We think these unmarked tests are reflected in December’s top 10 list. While Mimikatz and BloodHound are also leveraged by adversaries, we assess their place as the top 2 threats is likely due to unreported testing as opposed to a recent increase in their malicious use. Other trends to note include Zloader, Emotet, and Remote Utilities dropping out of the top 10, replaced by Cobalt Strike, Raccoon, and Shlayer.
ProxyNotShell exploitation of Exchange servers
Red Canary observed increasing exploitation of CVE-2022-41040 and CVE-2022-41082 in November and December 2022. In September 2022, security researchers identified variations of the Microsoft Exchange server ProxyShell vulnerability being exploited with limited scope. These new variations became known collectively as “ProxyNotShell.” We assess that the recent increase in exploitation is likely due to the public release of proof-of-concept (POC) code on November 16, as outlined by BleepingComputer.
Red Canary observed exploitation incorporating the following characteristics:
- Web shell files named
logout.aspx being written to
- Activity initiated from
w3wp.exe with a command line containing
MSExchangePowerShellAppPool. Based on Red Canary testing, the activity we saw, and other researchers’ observations, malicious activity spawning from a
w3wp.exe process with this command line is an indicator of potential ProxyNotShell exploitation.
- We observed execution of Visual Basic Scripts (
.vbs) from the
windows\temp folder writing a malicious Meterpreter executable and subsequently making network connections. The executable’s internal file name,
ab.exe, is the default metadata used by Meterpreter for its payloads.
- In a separate intrusion, the malicious executable written to the
windows\temp folder was a Cobalt Strike beacon.
- A malicious
.NET binary designed to rewrite the aforementioned web shells.
Based on historic exploitation of previous Exchange vulnerabilities as well as the follow-on activity seen by ourselves and other researchers, we assess a high likelihood of domain-wide compromise if ProxyNotShell activity is not remediated early. We recommend all organizations remediate CVE-2022-41040 and CVE-2022-41082 by following Microsoft’s guidance to update Exchange to the latest version.
There are many behavior-based detection opportunities available during ProxyNotShell exploitation. One of those opportunities is keeping an eye on dynamic link library (DLL) files executing from the Windows Temp directory. Adversaries like to drop payloads in
windows\temp because it’s typically available to all users in a system with read/write privileges enabled by default.
Detection opportunity: Rundll32 executing DLL files located in the Windows Temp directory
The following pseudo-detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from
windows\temp, so additional investigation may be needed to determine if the behavior is malicious.
process == (
command_line_includes == (
command_line_does_not_include == (*)
* is a placeholder for approved software in your environment that loads legitimate DLLS from