I’ll be presenting a brand new session titled “Hunting Webshells on Microsoft Exchange Server” at the 2017 SANS Threat Hunting and Incident Response Summit in New Orleans on April 18th and 19th!
My session abstract:
“Microsoft Exchange Servers are a high value target, making investigation of them during Incident Response vital, but where do you start? What should you look for? Backdoor implants in the form of webshells hiding in OWA are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every Exchange Server, through real world examples. It’s easier than you might think, and these techniques can help up your DFIR game in environments containing Exchange Servers!”
Full agenda: https://www.sans.org/event-downloads/45247/agenda.pdf
More details: https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
If you can’t make the summit, a recording should be available afterwards. I’ll post a link to the recording and a detailed blog on this subject when available.
Josh M. Bryant is currently a Director of Technical Product Management at Tanium where he builds products that help customers overcome the challenges of managing very large scale computing environments. Prior to joining Tanium, he was a Premier Field Engineer at Microsoft specializing in Microsoft Exchange Server, and then later a Cybersecurity Architect specializing in Compromise Recovery.