GreenPages Blog

As an IT professional, you need to stay current on all things tech; with articles from industry experts and GreenPages' staff, you get the info you need to help your organization compete and succeed!

One Script to Mitigate, Scan for Malware, & Repair On-Premises Exchange Servers!

Posted by: Randy Becker
Read More
All Posts

One Script to Mitigate, Scan for Malware, & Repair On-Premises Exchange Servers!

By Randy Becker, CISO & VP, Network and Security Consulting

Microsoft just released a new PowerShell script called the Exchange On-premises Mitigation Tool (EOMT). https://github.com/microsoft/CSS-Exchange/tree/main/Security#exchange-on-premises-mitigation-tool-eomt.

This single script will automatically grab necessary downloads and dependencies for mitigation and malware scan, and reverse changes made by known threats.


How Does the Exchange On-premises Mitigation Tool Work?

For this to work, the script assumes your Exchange servers have secure outbound access to Microsoft. The tool will automatically perform the following and make everyone’s lives a lot easier by quickly implementing a mitigation. How the script works:
• Automatically mitigates against current known attacks using CVE-2021-26855 using a URL Rewrite configuration.
• Runs a malware scan of the Exchange Server using the Microsoft Safety Scanner.
• Attempts to reverse any changes made by identified threats.

Visual of how the EOMT works
Microsoft Exchange On-Premises Mitigation Tool

As directed by Microsoft: as with any tool, you should understand the following before running:

  • The Exchange EOMT is only effective against known attacks and is not guaranteed to mitigate all possible future attack techniques. This is a temporary mitigation until your Exchange servers can be fully updated as outlined in Microsoft’s previous guidance.
  • Microsoft recommends this script over the previous ExchangeMitigations.ps1 script as it is based on the latest threat intelligence. If you have already started with the other script, it is fine to switch to this one.
  • This is a recommended approach for Exchange deployments with Internet access and for those who want to attempt automated remediation.
  • So far, Microsoft has not observed any impact to Exchange Server functionality when using this tool.

Who should run the Exchange On-premises Mitigation Tool?

Situation

Guidance

If you have done nothing to date to patch or mitigate this issue.

 

Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns

 

If you have mitigated using any/all of the mitigation guidance Microsoft has given (Exchangemitigations.Ps1, Blog posts, etc.)

 

Run EOMT.PS1 as soon as possible. This will both attempt to remediate as well as mitigate your servers against further attacks. Once complete, follow patching guidance to update your servers on http://aka.ms/exchangevulns

 

 

If you have already patched your systems and are protected, but did NOT investigate for any adversary activity, indicators of compromise, etc.

 

Run EOMT.PS1 as soon as possible. This will attempt to remediate any existing compromise that may not have been fully remediated before patching.

 



If you have already patched and investigated your systems for any indicators of compromise, etc.


No action is required

 

If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!


Randy Becker 2

Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation.

 

Comments

Related Posts

Tech News Recap for the Week of 04/12/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 04/12/21!

Patch Tuesday April 2021 Edition...Here We Go Again: More Exchange RCEs

By Randy Becker, VP & Principal Security Architect Microsoft April 2021 Patch Tuesday brings us 4 critical on-premises Exchange RCE CVEs, 2 with a base CVSS Score of 9.8 out of 10 with no privileges required, 1 with a CVSS Score of 9 with an attack vector adjacent with low privileges required, and 1 with an 8.8 and low privileges required.

Tech News Recap for the Week of 04/05/21

If you had a busy week and need to catch up, here’s our recap of tech stories you may have missed the week of 04/05/21!