hunting webshells on microsoft exchange server · step 1 –find all exchange (2010-2016) servers...
TRANSCRIPT
Hunting Webshells
On Microsoft Exchange Server
Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft
@FixTheExchangehttp://www.fixtheexchange.com/
Obligatory “Who is this guy?” Slide
Master Sergeant183 Air Communications Flight
Illinois Air National Guard
“Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.” - US-
CERT
https://www.us-cert.gov/ncas/alerts/TA15-314A
Webshell
Webshell
Webshell
Upload & Timestomp
Let’s go Hunting!
You can run, but you can’t hide!
Attack Graphs
Let’s go Hunting!
You can run, but you can’t hide!
Where my logs at?
PS C:\> [adsi]"IIS://localhost/w3svc" | select LogFileDirectory | %{$_.LogFileDirectory} C:\inetpub\logs\LogFiles
Step 1 – Find all Exchange (2010-2016) Servers with the Client Access Server Role.
Step 2 – Find where the IIS Logs are stored.
Searching IIS Logs with Log Parser Studio
Indicators• POST operations with low RequestCount• URIs that don’t require authentication
Searching IIS Logs with Log Parser StudioNote UserAgent
Identify Compromised Accounts
Searching IIS Logs with Log Parser Studio
Identify Compromised Accounts
ClientId = Server-side Cookie Reference
Invoke-ExchangeWebShellHunter
PS C:\Windows\system32> Invoke-ExchangeWebShellHunter
FNBornTime : 11/21/2016 4:59:41 PMServer : EX2016UpdatedOn : 11/20/2016 10:30 PMFile : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxInstalledOn : 5/14/2016 3:21 AMPSComputerName : EX2016RunspaceId : 21645dd4-02d5-4d94-bb77-3878b44e5ec0
https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter
Password?
“pp” string = SHA1 Encrypted Password
Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft
@FixTheExchangehttp://www.fixtheexchange.com/
Questions?
Master Sergeant183 Air Communications Flight
Illinois Air National Guard