Merge pull request #104 from microsoft/main

Release
microsoft · Mar 6, 2021 · 0add577 · 0add577
2 parents 096fc05 + 9ba158a
commit 0add577
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1
@@ -133,8 +133,7 @@ process {
                     param ()
 
                     $exchangePath = Get-ExchangeInstallPath
-
-                    Get-ChildItem -Recurse -Path "$exchangePath\Logging\ECP\Server\*.log" -ErrorAction SilentlyContinue | Select-String "Set-.*VirtualDirectory" -List | Select-Object -ExpandProperty Path
+                    Get-ChildItem -Recurse -Path "$exchangePath\Logging\ECP\Server\*.log" -ErrorAction SilentlyContinue | Select-String "Set-.+VirtualDirectory" -List | Select-Object -ExpandProperty Path
                 }
 
                 function Get-SuspiciousFile {
@@ -266,6 +265,19 @@ process {
                     }
                     Write-Host ""
                 }
+                if ($report.Cve27065.Count -gt 0) {
+                    Write-Host "  [CVE-2021-27065] Suspicious activity found in ECP logs!" -ForegroundColor Red
+                    Write-Host "  Please review the following files for 'Set-*VirtualDirectory' entries:"
+                    foreach ($entry in $report.Cve27065) {
+                        Write-Host "   $entry"
+                    }
+                    if ($OutPath) {
+                        $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-27065.log"
+                        $report.Cve27065 | Set-Content -Path $newFile
+                        Write-Host "  Report exported to: $newFile"
+                    }
+                    Write-Host ""
+                }
                 if ($report.Suspicious.Count -gt 0) {
                     Write-Host "  Other suspicious files found: $(@($report.Suspicious).Count)"
                     if ($OutPath) {