From 8ac2d2dfb30e369203cec6235cdc3a9d3985bb2f Mon Sep 17 00:00:00 2001 From: Bill Long Date: Fri, 12 Mar 2021 13:53:25 -0600 Subject: [PATCH 1/4] Release as draft The releases are so large now, it is taking 5-10 minutes to upload everything. During this time, the release can be viewed with only partial files, and this may cause unexpected results from CompareExchangeHashes. This change causes the releases to be saved as a Draft, which can then be released with a click, causing all assets to go live at the same time. --- azure-pipelines.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/azure-pipelines.yml b/azure-pipelines.yml index e2942b208c..1b90fa694c 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -88,4 +88,5 @@ steps: dist\*.nse dist\*.zip dist\*.txt - addChangeLog: true \ No newline at end of file + addChangeLog: true + isDraft: true From 0b2f2ddd45872a666ad9653560718a006d8f58db Mon Sep 17 00:00:00 2001 From: Bill Long Date: Fri, 12 Mar 2021 15:13:12 -0600 Subject: [PATCH 2/4] Add a flag to indicate whether issues were found --- Security/src/Test-ProxyLogon.ps1 | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/Security/src/Test-ProxyLogon.ps1 b/Security/src/Test-ProxyLogon.ps1 index e6db5e7f67..0a40d10945 100644 --- a/Security/src/Test-ProxyLogon.ps1 +++ b/Security/src/Test-ProxyLogon.ps1 @@ -256,7 +256,7 @@ begin { } #endregion Functions - [PSCustomObject]@{ + $results = [PSCustomObject]@{ ComputerName = $env:COMPUTERNAME Cve26855 = Get-Cve26855 Cve26857 = @(Get-Cve26857) @@ -264,7 +264,14 @@ begin { Cve27065 = @(Get-Cve27065) Suspicious = @(Get-SuspiciousFile) LogAgeDays = Get-LogAge + IssuesFound = $false } + + if ($results.Cve26855.Hits.Count -or $results.Cve26857.Count -or $results.Cve26858.Count -or $results.Cve27065.Count -or $results.Suspicious.Count) { + $results.IssuesFound = $true + } + + $results } #endregion Remoting Scriptblock $parameters = @{ @@ -358,7 +365,7 @@ begin { } } - if (-not ($report.Cve26855.Hits.Count -or $report.Cve26857.Count -or $report.Cve26858.Count -or $report.Cve27065.Count -or $report.Suspicious.Count)) { + if (-not $report.IssuesFound) { Write-Host " Nothing suspicious detected" -ForegroundColor Green Write-Host "" continue From 34e2696a6486e7e192bf3d1cbbe9d2d569a47de2 Mon Sep 17 00:00:00 2001 From: Bill Long Date: Fri, 12 Mar 2021 15:36:07 -0600 Subject: [PATCH 3/4] Include file collection changes from akshar --- Security/src/Test-ProxyLogon.ps1 | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/Security/src/Test-ProxyLogon.ps1 b/Security/src/Test-ProxyLogon.ps1 index 0a40d10945..4a7aa28953 100644 --- a/Security/src/Test-ProxyLogon.ps1 +++ b/Security/src/Test-ProxyLogon.ps1 @@ -481,14 +481,20 @@ begin { } if ($CollectFiles -and $isLocalMachine) { Write-Host " Copying Files:" - if (-not (Test-Path -Path "$($LogFileOutPath)\SuspiciousFiles")) { - Write-Host " Creating SuspiciousFiles Collection Directory" - New-Item "$($LogFileOutPath)\SuspiciousFiles" -ItemType Directory -Force | Out-Null + + #Deleting and recreating suspiciousFiles folder to prevent overwrite exceptions due to folders (folder name: myfolder.zip) + if ( Test-Path -Path "$($LogFileOutPath)\SuspiciousFiles" ) { + Remove-Item -Path "$($LogFileOutPath)\SuspiciousFiles" -Recurse -Force } + Write-Host " Creating SuspiciousFiles Collection Directory" + New-Item "$($LogFileOutPath)\SuspiciousFiles" -ItemType Directory -Force | Out-Null + + $fileNumber = 0 foreach ($entry in $report.Suspicious) { if (Test-Path -Path $entry.path) { Write-Host " Copying $($entry.Path) to $($LogFileOutPath)\SuspiciousFiles" -ForegroundColor Green - Copy-Item -Path $entry.Path -Destination "$($LogFileOutPath)\SuspiciousFiles" + Copy-Item -Path $entry.Path -Destination "$($LogFileOutPath)\SuspiciousFiles\$($entry.Name)_$fileNumber" + $fileNumber += 1 } else { Write-Host " Warning: Unable to copy file $($entry.Path). File does not exist." -ForegroundColor Red } From 266e516406b17fd88e153903380e803bf129baa5 Mon Sep 17 00:00:00 2001 From: Anshul Dube <42183064+anshuldube@users.noreply.github.com> Date: Fri, 12 Mar 2021 14:08:24 -0800 Subject: [PATCH 4/4] Update README.md --- Security/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Security/README.md b/Security/README.md index 4d5260fdeb..830af59dae 100644 --- a/Security/README.md +++ b/Security/README.md @@ -116,13 +116,17 @@ For more information please go to [https://aka.ms/exchangevulns](https://aka.ms/ `.\CompareExchangeHashes.ps1` -The script currently only validates files in exchange virtual directories only, it does not check any files in the IIS root. +This script takes the following actions: +* Checks file hashes in exchange vdirs against known good baseline of hashes. +* Any file under IIS root which is edited after Dec 1st 2020 is marked as suspicious. + **This script needs to be run as administrator on all the exchange servers separately**. The script determines the version of exchange installed on the server and then downloads the hashes for known exchange files from the [published known good hashes of exchange files](https://github.com/microsoft/CSS-Exchange/releases/latest). The result generated is stored in a file locally with the following format: _result.csv If potential malicious files are found during comparision there is an error generated on the cmdline. +* Note: If the result file contains huge number of rows, it is potentially due to missing baseline hashes, please find the exchange versions found on the machine and leave a comment on issue [313](https://github.com/microsoft/CSS-Exchange/issues/313) To read the output, open the result csv file in excel or in powershell: