Josh's picture

Hunting Webshells on Microsoft Exchange Server

Last month I gave a talk at the SANS Threat Hunting and Incident Response Summit on Hunting Webshells on Microsoft Exchange Server.  The SANS Institute has posted a video of that talk on YouTube, check it out here.
You can also view the slides from the talk here, and download the Invoke-ExchangeWebShellHunter script from GitHub here.


Josh's picture

Join me at the 2017 SANS Threat Hunting and Incident Response Summit - April 18th and 19th

I'll be presenting a brand new session titled "Hunting Webshells on Microsoft Exchange Server" at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th!

My session abstract:
"Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!"

Josh's picture

Exchange 2016 SP1 to run on Linux!

Ever since last month's announcement that Microsoft SQL Server will be coming to Linux, quiet rumors have been floating around that some of Microsoft's other Enterprise Products, such as Exchange Server, may follow suit. With this week's announcement at the Build conference about the popular Linux shell "BASH" coming to Windows, I decided it was time to see what the Exchange team has planned for Linux, if anything. Today I caught up with a member of the Exchange team that wishes to remain anonymous to get the inside scoop on Exchange 2016 SP1 and support for installing it on Linux!

Josh's picture

Changing my focus in 2016.

I've always had two passions throughout my IT career, Messaging, and Security. I tend to change my focus from one to the other every few years. For the past couple years as a Premier Field Engineer, I was fortunate enough to be able to leverage both of my passions, however Messaging was my primary focus. Yesterday was my first day back to work in 2016. It was also the start of a new role for me at Microsoft. I am now a Cybersecurity Architect, and with that my primary focus changes to Security once again.  This means you'll probably see a little more Security focused content on my blog from now on.

Josh's picture

Exchange 2016 is here!

Exchange 2016 has been officially released! Read the official announcement here: More to come soon.

Josh's picture

Autodiscover error 0x80090014 during Outlook's Test E-mail AutoConfiguration

This week I was helping a customer figure out why their Windows 8.1 with Outlook 2013 clients couldn't connect to Exchange 2010 over Outlook Anywhere with Smartcard Authentication, but their Windows 7 with Outlook 2010 clients could.  After a couple days of looking at network traces on firewalls, Process Explorer, and Process Monitor on several clients, we finally figured it out. Keep reading for more details on symptoms, cause, and resolution.

Outlook Profile creation either fails after a single PIN prompt with a message stating that encrypted communication with the Exchange Server could not be established, or profile creation never progresses past the first stage with repeated PIN prompts.

Josh's picture

Where to find me during the Microsoft Ignite Conference

Here are some times/places you can find me during the Microsoft Ignite conference next week.


Sunday May 3rd

3-4 PM - #BeerIT - I'm hoping to make this pre-conference party, but the time conflicts with a meeting I have. Hopefully I'll be able to make it for at least part of it.

6-9 PM - Exchange and Sharepoint Pre-Release Program Pre-Event - This one is invite only, if you have an invite, I'll see you there!


Monday May 4th

6-8 PM Welcome Reception/Ask the Experts in the Expo Hall - I'll be hanging out in the Office 365/Exchange area wearing one of the "EXPERT" Orange shirts.

After Hours - TBD


Tuesday May 5th

Josh's picture

EXCLUSIVE: Exchange 2016 to run on Minecraft!

A month in advance of the Ignite Conference, an anonymous source within the Exchange Product Group tells us Exchange 2016 is being built on, and will run entirely inside of, Minecraft.  Check out my exlusive interview below!


FixTheExchange: Why Minecraft?!

Josh's picture

Join me for "Shut the Front Door! Securing your Messaging Environment" at the Microsoft Ignite Conference on May 6th!

If you haven't already heard, I'll be delivering a session at the Microsoft Ignite conference at the McCormick Place in Chicago Illinois May 4-8.  My session is called "Shut the Front Door! Securing your Messaging Environment". (Session code BRK3109)

UPDATED!  TIME CHANGE! (Updated again, for some reason the strikethrough text isn't working, removed some text to avoid confusion)

The date and time of my session have been officially announced, it will be Wednesday May 6th from 10:45AM to 12:00 PM.  You can find more details here.  Also be sure to check out my promo video on YouTube.

Josh's picture

Exchange 2013 CU8, Exchange 2010 SP3 RU9, and Exchange 2007 SP3 RU16 have been released!


Subscribe to Fix the Exchange! RSS