ProxyShell.md

Exploits/ProxyShell.md

@@ -0,0 +1,34 @@
+
+This hunting query looks Detects a PowerShell New-MailboxExportRequest (ProxyShell exploitations) 
+
+Query
+
+DeviceProcessEvents 
+| where (ProcessCommandLine contains "New-MailboxExport" 
+and ProcessCommandLine contains " -Mailbox " 
+and ProcessCommandLine contains " -FilePath \\127.0.0.1\\C$")
+
+Category
+
+This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
+Technique, tactic, or state 	Covered? (v=yes) 	Notes
+Initial access 		
+Execution 		
+Persistence 		
+Privilege escalation 		
+Defense evasion 		
+Credential Access 		
+Discovery 		
+Lateral movement 		
+Collection 		
+Command and control 	V 	
+Exfiltration 		V
+Impact 		
+Vulnerability 		V
+Exploit 		
+Misconfiguration 		
+Malware, component 		
+Ransomware 		
+Contributor info
+
+Contributor: Shviam Malaviya GitHub alias: shviammalaviya Organization: OS Contact info: shivammalaviya@hotmail.com