Merge pull request #332 from microsoft/main

Release
microsoft · Mar 12, 2021 · 6a700e7 · 6a700e7
2 parents fb446d7 + 5c10ebb
commit 6a700e7
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 1 deletion.
diff --git a/Security/README.md b/Security/README.md
@@ -15,6 +15,8 @@ Download the latest release here:
 
 [Download Test-ProxyLogon.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/Test-ProxyLogon.ps1)
 
+### Usage
+
 The most typical usage of this script is to check all Exchange servers and save the reports,
 by using the following syntax from Exchange Management Shell:
 
@@ -32,6 +34,27 @@ To display the results without saving them, pass -DisplayOnly:
 
 `.\Test-ProxyLogon.ps1 -DisplayOnly`
 
+### Frequently Asked Questions
+
+**The script says it found suspicious files, and it lists a bunch of zip files. What does this mean?**
+
+The script will flag any zip/7x/rar files that it finds in ProgramData. As noted in
+[this blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/), web
+shells have been observed using such files for exfiltration. An administrator should review the files to
+determine if they are valid. Determining if a zip file is a valid part of an installed
+product is outside the scope of this script, and whitelisting files by name would only encourage
+the use of those specific names by attackers.
+
+**I'm having trouble running the script on Exchange 2010.**
+
+If PowerShell 3 is present, the script can be run on Exchange 2010. It will not run on PowerShell 2. One can
+also enable PS Remoting and run the script remotely against Exchange 2010. However,
+the script has minimal functionality in these scenarios, as Exchange 2010 is only affected by one of the
+four announced exploits - CVE-2021-26857. Further, this exploit is only available if the Unified Messaging role
+is present. As a result, it is often easier to simply run the Get-EventLog command from the
+[blog post](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/),
+rather than using Test-ProxyLogon.
+
 ## [ExchangeMitigations.ps1](https://github.com/microsoft/CSS-Exchange/releases/latest/download/ExchangeMitigations.ps1)
 This script contains 4 mitigations to help address the following vulnerabilities:
 

diff --git a/Security/src/Test-ProxyLogon.ps1 b/Security/src/Test-ProxyLogon.ps1
@@ -258,7 +258,7 @@ begin {
 
                 [PSCustomObject]@{
                     ComputerName = $env:COMPUTERNAME
-                    Cve26855     = @(Get-Cve26855)
+                    Cve26855     = Get-Cve26855
                     Cve26857     = @(Get-Cve26857)
                     Cve26858     = @(Get-Cve26858)
                     Cve27065     = @(Get-Cve27065)