Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!
This talk was originally presented at the 2017 SANS Threat Hunting and Incident Response Summit. A recording of this talk and the slide deck from it are available below. If you would like an updated version of this talk presented at your event or conference, please contact me on Twitter or LinkedIn.Cybersecurity, Exchange 2013, Exchange 2016