![Page 1: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/1.jpg)
Hunting Webshells
On Microsoft Exchange Server
![Page 2: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/2.jpg)
Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft
@FixTheExchangehttp://www.fixtheexchange.com/
Obligatory “Who is this guy?” Slide
Master Sergeant183 Air Communications Flight
Illinois Air National Guard
![Page 3: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/3.jpg)
“Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.” - US-
CERT
https://www.us-cert.gov/ncas/alerts/TA15-314A
![Page 4: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/4.jpg)
Webshell
![Page 5: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/5.jpg)
Webshell
![Page 6: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/6.jpg)
Webshell
![Page 7: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/7.jpg)
Upload & Timestomp
![Page 8: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/8.jpg)
Let’s go Hunting!
You can run, but you can’t hide!
![Page 9: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/9.jpg)
Attack Graphs
![Page 10: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/10.jpg)
![Page 11: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/11.jpg)
![Page 12: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/12.jpg)
![Page 13: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/13.jpg)
Let’s go Hunting!
You can run, but you can’t hide!
![Page 14: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/14.jpg)
Where my logs at?
PS C:\> [adsi]"IIS://localhost/w3svc" | select LogFileDirectory | %{$_.LogFileDirectory} C:\inetpub\logs\LogFiles
Step 1 – Find all Exchange (2010-2016) Servers with the Client Access Server Role.
Step 2 – Find where the IIS Logs are stored.
![Page 15: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/15.jpg)
Searching IIS Logs with Log Parser Studio
Indicators• POST operations with low RequestCount• URIs that don’t require authentication
![Page 16: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/16.jpg)
Searching IIS Logs with Log Parser StudioNote UserAgent
![Page 17: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/17.jpg)
Identify Compromised Accounts
Searching IIS Logs with Log Parser Studio
![Page 18: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/18.jpg)
Identify Compromised Accounts
ClientId = Server-side Cookie Reference
![Page 19: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/19.jpg)
Invoke-ExchangeWebShellHunter
PS C:\Windows\system32> Invoke-ExchangeWebShellHunter
FNBornTime : 11/21/2016 4:59:41 PMServer : EX2016UpdatedOn : 11/20/2016 10:30 PMFile : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxInstalledOn : 5/14/2016 3:21 AMPSComputerName : EX2016RunspaceId : 21645dd4-02d5-4d94-bb77-3878b44e5ec0
https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter
![Page 20: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/20.jpg)
Password?
![Page 21: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/21.jpg)
“pp” string = SHA1 Encrypted Password
![Page 22: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/22.jpg)
![Page 23: Hunting Webshells on Microsoft Exchange Server · Step 1 –Find all Exchange (2010-2016) Servers with the Client Access Server Role. Step 2 –Find where the IIS Logs are stored](https://reader033.vdocuments.us/reader033/viewer/2022042104/5e824da7d93db4690c52a09c/html5/thumbnails/23.jpg)
Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft
@FixTheExchangehttp://www.fixtheexchange.com/
Questions?
Master Sergeant183 Air Communications Flight
Illinois Air National Guard