Hunting Webshells

On Microsoft Exchange Server

Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft

@FixTheExchangehttp://www.fixtheexchange.com/

Obligatory “Who is this guy?” Slide

Master Sergeant183 Air Communications Flight

Illinois Air National Guard

“Consistent use of web shells by Advanced Persistent Threat (APT) and criminal groups has led to significant cyber incidents.” - US-

CERT

https://www.us-cert.gov/ncas/alerts/TA15-314A

Webshell

Webshell

Webshell

Upload & Timestomp

Let’s go Hunting!

You can run, but you can’t hide!

Attack Graphs

Let’s go Hunting!

You can run, but you can’t hide!

Where my logs at?

PS C:\> [adsi]"IIS://localhost/w3svc" | select LogFileDirectory | %{$_.LogFileDirectory} C:\inetpub\logs\LogFiles

Step 1 – Find all Exchange (2010-2016) Servers with the Client Access Server Role.

Step 2 – Find where the IIS Logs are stored.

Searching IIS Logs with Log Parser Studio

Indicators• POST operations with low RequestCount• URIs that don’t require authentication

Searching IIS Logs with Log Parser StudioNote UserAgent

Identify Compromised Accounts

Searching IIS Logs with Log Parser Studio

Identify Compromised Accounts

ClientId = Server-side Cookie Reference

Invoke-ExchangeWebShellHunter

PS C:\Windows\system32> Invoke-ExchangeWebShellHunter

FNBornTime : 11/21/2016 4:59:41 PMServer : EX2016UpdatedOn : 11/20/2016 10:30 PMFile : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\errorEE.aspxInstalledOn : 5/14/2016 3:21 AMPSComputerName : EX2016RunspaceId : 21645dd4-02d5-4d94-bb77-3878b44e5ec0

https://github.com/FixTheExchange/Invoke-ExchangeWebShellHunter

Password?

“pp” string = SHA1 Encrypted Password

Josh M. BryantCybersecurity Architect (Senior Consult Cyber II)Microsoft

@FixTheExchangehttp://www.fixtheexchange.com/

Questions?

Master Sergeant183 Air Communications Flight

Illinois Air National Guard