EX-PROXYSHELLInitial Access

ProxyShell (CVE-2021-34473/-34523/-31207)

Pre-auth chain — path confusion + email-to-PowerShell + arbitrary file write = SYSTEM webshell on the Exchange server.

§ Where this technique fits

EX-PROXYSHELL is catalogued under the Initial Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

§ Dossiers chaining this technique

ProxyShell → SYSTEM on Exchange → DA
Pre-auth ProxyShell chain (path confusion + EWS email-to-PowerShell + arbitrary file write) deploys a webshell as SYSTEM. Same post-exploitation as ProxyLogon.
step 2 / 6

§ What commonly comes next

01
Webshell Deployment
W-WEBSHELL · Persistence
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

ProxyShell → SYSTEM on Exchange → DA

§ What commonly comes next