From 3702b07d3003fe1a910acb5ef474e69d7505ee45 Mon Sep 17 00:00:00 2001
From: Shivammalaviya <66640150+Shivammalaviya@users.noreply.github.com>
Date: Mon, 9 Aug 2021 12:52:52 +0530
Subject: [PATCH] Create ProxyShell.md

---
 Exploits/ProxyShell.md | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 Exploits/ProxyShell.md

diff --git a/Exploits/ProxyShell.md b/Exploits/ProxyShell.md
new file mode 100644
index 00000000..bd0f6252
--- /dev/null
+++ b/Exploits/ProxyShell.md
@@ -0,0 +1,34 @@
+
+This hunting query looks Detects a PowerShell New-MailboxExportRequest (ProxyShell exploitations) 
+
+Query
+
+DeviceProcessEvents 
+| where (ProcessCommandLine contains "New-MailboxExport" 
+and ProcessCommandLine contains " -Mailbox " 
+and ProcessCommandLine contains " -FilePath \\127.0.0.1\\C$")
+
+Category
+
+This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
+Technique, tactic, or state 	Covered? (v=yes) 	Notes
+Initial access 		
+Execution 		
+Persistence 		
+Privilege escalation 		
+Defense evasion 		
+Credential Access 		
+Discovery 		
+Lateral movement 		
+Collection 		
+Command and control 	V 	
+Exfiltration 		V
+Impact 		
+Vulnerability 		V
+Exploit 		
+Misconfiguration 		
+Malware, component 		
+Ransomware 		
+Contributor info
+
+Contributor: Shviam Malaviya GitHub alias: shviammalaviya Organization: OS Contact info: shivammalaviya@hotmail.com