Adversaries may exploit ProxyToken vulnerabilities to bypass authentication and gain unauthorized access to Azure resources. SOC teams should proactively hunt for this behavior to detect and mitigate potential lateral movement and privilege escalation in their environment.
KQL Query
W3CIISLog
//Exclude local addresses, using the ipv4_is_private operator
| where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
| where csMethod =~ "POST"
| where csUriStem has "/ecp"
| where isnotempty(csCookie) and csCookie has "SecurityToken"
| where csUriQuery has "msExchEcpCanary"
| extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP
id: 141a3be6-be08-4519-9698-2fc908f6761c
name: Suspected ProxyToken Exploitation
description: |
'Looks for activity that might indicate exploitation of the ProxyToken vulnerability - CVE-2021-33766
Ref: https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server'
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
W3CIISLog
//Exclude local addresses, using the ipv4_is_private operator
| where ipv4_is_private(cIP) == false and cIP !startswith "fe80" and cIP !startswith "::" and cIP !startswith "127."
| where csMethod =~ "POST"
| where csUriStem has "/ecp"
| where isnotempty(csCookie) and csCookie has "SecurityToken"
| where csUriQuery has "msExchEcpCanary"
| extend timestamp=TimeGenerated, HostCustomEntity=Computer, IPCustomEntity=cIP
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- entityType: IP
fieldMappings:
- identifier: Address
columnName: cIP
| Sentinel Table | Notes |
|---|---|
W3CIISLog | Ensure this data connector is enabled |
Scenario: Legitimate Scheduled Job Using ProxyToken for Automation
Description: A scheduled job (e.g., schtasks.exe or Task Scheduler) is configured to use ProxyToken for secure credential handling during system maintenance.
Filter/Exclusion: Check for process.name = schtasks.exe or Task Scheduler and filter out tasks with known maintenance or automation purposes.
Scenario: Admin Task Using ProxyToken for Remote Management
Description: An administrator uses PsExec or WinRM to remotely manage a system, which may trigger ProxyToken-related activity as part of the authentication process.
Filter/Exclusion: Filter events where process.name = psexec.exe or winrm.exe and verify the source IP is from a trusted management network.
Scenario: PowerShell Script Using ProxyToken for Credential Passing
Description: A legitimate PowerShell script (e.g., Invoke-Command or New-PSSession) uses ProxyToken for secure credential passing during remote execution.
Filter/Exclusion: Filter for process.name = powershell.exe and check for known trusted scripts or modules (e.g., Microsoft.PowerShell.Utility).
Scenario: System Update or Patching Using ProxyToken
Description: A patching tool like Windows Update or WSUS may use ProxyToken during secure credential handling for system updates.
Filter/Exclusion: Filter for process.name = wusa.exe or wsusutil.exe and check for update-related command-line arguments.
Scenario: Security Tool or SIEM Agent Using ProxyToken for Authentication
Description: A security tool (e.g., Splunk, ELK, or SIEM agent) may use ProxyToken for secure authentication to the enterprise network.