Proxy Shell Exchange
Query
//Check the Exchange Server for ProxyShell vulnerability scanning
W3CIISLog
| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "PowerShell" | where csMethod == "POST"Explanation
This query checks the Exchange Server logs for any scanning activity related to the ProxyShell vulnerability. It specifically looks for requests made to the "/autodiscover/autodiscover.json" endpoint, with the query parameter containing "PowerShell", and using the HTTP POST method.
Details

Rod Trent
Released: August 24, 2021
Tables
W3CIISLog
Keywords
ExchangeProxyShellVulnerabilityScanningW3CIISLogcsUriStemcsUriQueryPowerShellcsMethodPOST
Operators
| where==has