Cybersecurity

Josh's picture

Hunting Webshells on Microsoft Exchange Server

Last month I gave a talk at the SANS Threat Hunting and Incident Response Summit on Hunting Webshells on Microsoft Exchange Server.  The SANS Institute has posted a video of that talk on YouTube, check it out here.
You can also view the slides from the talk here, and download the Invoke-ExchangeWebShellHunter script from GitHub here.

 

Josh's picture

Join me at the 2017 SANS Threat Hunting and Incident Response Summit - April 18th and 19th

I'll be presenting a brand new session titled "Hunting Webshells on Microsoft Exchange Server" at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th!

My session abstract:
"Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!"

Subscribe to RSS - Cybersecurity