Hunting Webshells: Tracking TwoFace

Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. The presentation will feature real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.

This talk has evolved over the last few years. I originally came up with the idea for this talk in 2016 after some friends and colleagues of mine from Microsoft’s Global Incident Response team (now called Detection and Response Team) reached out to me for help analyzing a webshell they’d found at a customer. By this point I had analyzed a few different webshells targeting Exchange Servers, and thus the original version of this talk, titled “Hunting Webshells on Microsoft Exchange Server” was born and delivered at the 2017 SANS Threat Hunting Summit. At the time I had no idea what to call this webshell.

Shortly after SANS released the recording of that talk, Palo Alto’s Unit 42 released a blog post by Robert Falcone, who called this webshell “TwoFace”. Robert and I started talking and decided to combine our research and co-present the next version of this talk. It was accepted by and delivered at the 2018 SANS Threat Hunting Summit. Video and slides from that version can be found below.

In 2019, we decided to update this talk again. We ended up delivering it at DerbyCon 9: Finish Line. Video and slides from this version can be found below as well.

If you would like this talk presented at your event or conference, please contact me on Twitter or LinkedIn.

Leave a Reply

Your email address will not be published. Required fields are marked *