From 683e2f9eb983f20727b9736913c1f221bb98556e Mon Sep 17 00:00:00 2001 From: Bill Long Date: Sat, 6 Mar 2021 16:48:22 -0600 Subject: [PATCH] Fix #102 --- Security/Test-ProxyLogon.ps1 | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/Security/Test-ProxyLogon.ps1 b/Security/Test-ProxyLogon.ps1 index e545a4793d..a4cc971475 100644 --- a/Security/Test-ProxyLogon.ps1 +++ b/Security/Test-ProxyLogon.ps1 @@ -133,8 +133,7 @@ process { param () $exchangePath = Get-ExchangeInstallPath - - Get-ChildItem -Recurse -Path "$exchangePath\Logging\ECP\Server\*.log" -ErrorAction SilentlyContinue | Select-String "Set-.*VirtualDirectory" -List | Select-Object -ExpandProperty Path + Get-ChildItem -Recurse -Path "$exchangePath\Logging\ECP\Server\*.log" -ErrorAction SilentlyContinue | Select-String "Set-.+VirtualDirectory" -List | Select-Object -ExpandProperty Path } function Get-SuspiciousFile { @@ -266,6 +265,19 @@ process { } Write-Host "" } + if ($report.Cve27065.Count -gt 0) { + Write-Host " [CVE-2021-27065] Suspicious activity found in ECP logs!" -ForegroundColor Red + Write-Host " Please review the following files for 'Set-*VirtualDirectory' entries:" + foreach ($entry in $report.Cve27065) { + Write-Host " $entry" + } + if ($OutPath) { + $newFile = Join-Path -Path $OutPath -ChildPath "$($report.ComputerName)-Cve-2021-27065.log" + $report.Cve27065 | Set-Content -Path $newFile + Write-Host " Report exported to: $newFile" + } + Write-Host "" + } if ($report.Suspicious.Count -gt 0) { Write-Host " Other suspicious files found: $(@($report.Suspicious).Count)" if ($OutPath) {