Microsoft launched another PowerShell script tool that can check the Exchange Servers is not hacked with new ProxyLogon malware.

On 2nd March, Microsoft announced another out-of-band emergency security update and fixed all 4 zero-day vulnerabilities activated in Microsoft Exchange. These activated vulnerabilities are identified as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

ProxyLogon is chained of these known vulnerabilities that allow the hackers to execute remote code execution on the publicly exposed Microsoft Exchange server that utilizes Outlook Web Application.

While executing these attacks, the hackers installed web shells that authorized the hackers to control the server and access the network. These attacks are connected with China hacking group named HAFNIUM.

How does the Script Work?

While talking about these vulnerabilities, Microsoft provides the list of commands to the administrators while checking if the server is hacked or not. These commands are needed to be executed manually and to check for the IOC in Exchange HttpProxy Logs, Exchange log files, and in Windows Application event logs.

However, yesterday Microsoft also released a PowerShell script for Exchange support engineer’s GitHub that was named as Test-ProxyLogon.ps1 for automating the task to the admins.

Microsoft also provides multiple instructions that used the script to verify the Microsoft Exchange server or all the servers that were connected to the organization.

While checking all the exchange servers and downloading the logs to the desktop, users will have to run the following command in Exchange Management Shell:

Get-ExchangeServer | .\Test-ProxyLogon.ps1 -OutPath$home \desktop\logs

In case users want to check about the local servers and save logs, then they would need to run the following command:

.\Test-ProxyLogon.ps1 -OutPath $home\destop\logs

If users want to test the local server and shows the outcome without saying that they have to follow the command mentioned below:

.\Test-ProxyLogon.ps1

Summering Up

Cybersecurity and Infrastructure Security Agency also recommends that all the organizations had to check and utilize the script on the server that had been compromised. The organization CISA is also aware of this widespread domestic and international spread of these vulnerabilities present and recommends all the organizations to run this ProxyLogon.ps1 test as soon as possible. With the help of this test, organizations can know if they are the victim of this or not.

Whereas, more than 30,000 Exchange Servers are been compromised and all the infected organizations had to check and install new Exchange security updates and make sure that they had not infected by this attack.