Back in April of 2016, Zaid Arafeh, Clare Kearney, and I, recorded a 7 part series for the Microsoft Virtual Academy titled “Defending Active Directory against Cyberattacks”. Unfortunately Microsoft retired the Virtual Academy and most of the recordings are no longer available. Some of the content is now part of this edX course on Managing […]

Hunting Webshells: Tracking TwoFace

September 9, 2019 | Conference Talks | No Comments

Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on […]

In the physical realm, a successful hunt ends with either a kill or a capture.  While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed.  Why do we treat hunting in the digital realm differently?  The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent […]

The results are in, you’ve been breached. It’s officially the worst day of your career. How will you handle what comes next? Are you prepared to navigate the long road to recovery? Where do you even begin? Come, hitch a ride with me, I’ll show you the way. Lessons learned from dozens of compromise recoveries […]

Three years ago I wrote a document titled “Removing Exchange’s ability to impact Tier 0 and Tier 1” that was distributed internally at Microsoft as well as to dozens of Microsoft customers as part of Cybersecurity services delivered through Microsoft Consulting Services (MCS). I had always intended to get this document published publicly, but for […]

How fitting that 7 years after I started this blog I would relaunch it on a new platform (more on that to come). I know there’s been a lot of times it’s been neglected over the years due to my work/travel schedule, but that’s changing now.  I’d like to thank anyone and everyone who’s stuck […]

Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using […]

I’ll be presenting a brand new session titled “Hunting Webshells on Microsoft Exchange Server” at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th! My session abstract:“Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? […]

Exchange 2016 SP1 to run on Linux!

April 1, 2016 | Uncategorized | No Comments

Ever since last month’s announcement that Microsoft SQL Server will be coming to Linux, quiet rumors have been floating around that some of Microsoft’s other Enterprise Products, such as Exchange Server, may follow suit. With this week’s announcement at the Build conference about the popular Linux shell “BASH” coming to Windows, I decided it was time to see […]