EX-PROXYLOGONInitial Access

ProxyLogon (CVE-2021-26855)

SSRF + auth bypass in Exchange CAS — read any mailbox / write to Exchange via /ecp, then drop webshell via WriteFile.

§ Where this technique fits

EX-PROXYLOGON is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ProxyLogon → webshell on Exchange → DA
Unauth SSRF + auth bypass against on-prem Exchange (CAS) — write a webshell as SYSTEM on the Exchange server, dump LSASS for cached domain creds, pivot to DA.
step 2 / 6

§ What commonly comes next

01
Webshell Deployment
W-WEBSHELL · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ProxyLogon → webshell on Exchange → DA

§ What commonly comes next