018
EXH-0182021Fictional reconstruction
Autodiscover Depth
March 2021. Microsoft discloses four Exchange zero-days actively exploited in the wild. The first stone in the chain is an unauthenticated SSRF against `/owa/auth/` paths.
Type
Modern / Cloud
Difficulty
Advanced
Era
2020s
Time
10 min
Briefing
This terminal contains fictional IPs and shortened paths. The vulnerability chain and CVE identifiers are real. No Exchange DLLs execute here.
Your role
Threat hunter validating IIS logs against Microsoft's March emergency guidance.
Objective
Locate the suspicious Cookie / path combination Microsoft public write-ups associated with CVE-2021-26855 reconnaissance.
Terminal environment
- user
- hunter
- host
- edr-siem-bridge
- cwd
- /forensics/exchange-proxylogon-drill
- steps
- 3
Enter the terminalAbout 10 minutesSafe simulation
Safety note. This is a safe reconstruction. All systems, files, hosts, credentials, and outputs are simulated. Do not use these techniques on systems you do not own or have explicit permission to test.