Microsoft Safety Scanner to remove web shells

D

DelJo63

According to www.bleepingcomputer.com:

Microsoft Exchange ProxyLogon attacks
Microsoft has also updated Microsoft Defender to detect web shells and other IOCs associated with these attacks.

Microsoft Safety Scanner, also known as the Microsoft Support Emergency Response Tool (MSERT), is a standalone portable antimalware tool that includes Microsoft Defender signatures to scan for and remove detected malware.​
MSERT is an on-demand scanner and will not provide any real-time protection. Therefore, it should only be used for spot scans and not relied upon as a full-fledged antivirus program.​
Furthermore, MSERT will automatically delete any detected files and not quarantine them if you do not start the program with the /N argument, as in msert.exe /N. To scan for web shellsand not delete them, you can also use use the PowerShell script described at the end of the article.​
The Microsoft Safety Scanner can be downloaded as either a 32-bit or 64-bit executable and used to perform spot scans of a machine as needed.​
detailed information on what files were removed, you can consult the %SYSTEMROOT%\debug\msert.log
If you would like to scan for web shells without removing them, you can use a new PowerShell script named detect_webshells.ps1 created by CERT Latvia
 
D

DelJo63

These vulnerabilities are being tracked with the following CVEs:

  • CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 - Microsoft Exchange Server Remote Code Execution Vulnerability