Merge pull request #344 from microsoft/main

Release
microsoft · Mar 12, 2021 · 1b24eb9 · 1b24eb9
2 parents f08d721 + 1f82d08
commit 1b24eb9
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 8 deletions.
diff --git a/Security/README.md b/Security/README.md
@@ -116,13 +116,17 @@ For more information please go to [https://aka.ms/exchangevulns](https://aka.ms/
 
 `.\CompareExchangeHashes.ps1`
 
-The script currently only validates files in exchange virtual directories only, it does not check any files in the IIS root.
+This script takes the following actions:
+* Checks file hashes in exchange vdirs against known good baseline of hashes.
+* Any file under IIS root which is edited after Dec 1st 2020 is marked as suspicious.
+
 **This script needs to be run as administrator on all the exchange servers separately**.
 
 The script determines the version of exchange installed on the server and then downloads the hashes for known exchange files from the [published known good hashes of exchange files](https://github.com/microsoft/CSS-Exchange/releases/latest).
 
 The result generated is stored in a file locally with the following format: <ExchangeVersion>_result.csv
 If potential malicious files are found during comparision there is an error generated on the cmdline.
+* Note: If the result file contains huge number of rows, it is potentially due to missing baseline hashes, please find the exchange versions found on the machine and leave a comment on issue [313](https://github.com/microsoft/CSS-Exchange/issues/313)
 
 To read the output, open the result csv file in excel or in powershell:
 

diff --git a/Security/src/Test-ProxyLogon.ps1 b/Security/src/Test-ProxyLogon.ps1
@@ -256,15 +256,22 @@ begin {
                 }
                 #endregion Functions
 
-                [PSCustomObject]@{
+                $results = [PSCustomObject]@{
                     ComputerName = $env:COMPUTERNAME
                     Cve26855     = Get-Cve26855
                     Cve26857     = @(Get-Cve26857)
                     Cve26858     = @(Get-Cve26858)
                     Cve27065     = @(Get-Cve27065)
                     Suspicious   = @(Get-SuspiciousFile)
                     LogAgeDays   = Get-LogAge
+                    IssuesFound  = $false
                 }
+
+                if ($results.Cve26855.Hits.Count -or $results.Cve26857.Count -or $results.Cve26858.Count -or $results.Cve27065.Count -or $results.Suspicious.Count) {
+                    $results.IssuesFound = $true
+                }
+
+                $results
             }
             #endregion Remoting Scriptblock
             $parameters = @{
@@ -358,7 +365,7 @@ begin {
                     }
                 }
 
-                if (-not ($report.Cve26855.Hits.Count -or $report.Cve26857.Count -or $report.Cve26858.Count -or $report.Cve27065.Count -or $report.Suspicious.Count)) {
+                if (-not $report.IssuesFound) {
                     Write-Host "  Nothing suspicious detected" -ForegroundColor Green
                     Write-Host ""
                     continue
@@ -474,14 +481,20 @@ begin {
                     }
                     if ($CollectFiles -and $isLocalMachine) {
                         Write-Host " Copying Files:"
-                        if (-not (Test-Path -Path "$($LogFileOutPath)\SuspiciousFiles")) {
-                            Write-Host "  Creating SuspiciousFiles Collection Directory"
-                            New-Item "$($LogFileOutPath)\SuspiciousFiles" -ItemType Directory -Force | Out-Null
+
+                        #Deleting and recreating suspiciousFiles folder to prevent overwrite exceptions due to folders (folder name: myfolder.zip)
+                        if ( Test-Path -Path "$($LogFileOutPath)\SuspiciousFiles" ) {
+                            Remove-Item -Path "$($LogFileOutPath)\SuspiciousFiles" -Recurse -Force
                         }
+                        Write-Host "  Creating SuspiciousFiles Collection Directory"
+                        New-Item "$($LogFileOutPath)\SuspiciousFiles" -ItemType Directory -Force | Out-Null
+
+                        $fileNumber = 0
                         foreach ($entry in $report.Suspicious) {
                             if (Test-Path -Path $entry.path) {
                                 Write-Host "  Copying $($entry.Path) to $($LogFileOutPath)\SuspiciousFiles" -ForegroundColor Green
-                                Copy-Item -Path $entry.Path -Destination "$($LogFileOutPath)\SuspiciousFiles"
+                                Copy-Item -Path $entry.Path -Destination "$($LogFileOutPath)\SuspiciousFiles\$($entry.Name)_$fileNumber"
+                                $fileNumber += 1
                             } else {
                                 Write-Host "  Warning: Unable to copy file $($entry.Path). File does not exist." -ForegroundColor Red
                             }

diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -88,4 +88,5 @@ steps:
       dist\*.nse
       dist\*.zip
       dist\*.txt
-    addChangeLog: true
+    addChangeLog: true
+    isDraft: true