#ThreatHunting: When investigating a potentially compromised Exchange server, one of the first steps I take is to search the MFT for .aspx files (with @velocidex's MFT Hunt, for example). Examine the results for suspicious file names or paths.
(1/3)
The picture above shows different webshells that I identified within the first few minutes of the investigation.
(2/3)
This procedure also has the advantage of finding "hidden" web shells. Attackers can create a virtualDirectory that points to webshells in non-standard directories. Check the @HuntressLabs blog post about which configuration files to examine:
Many customers log process starts and executed programs in a SIEM, or have an EDR in use. Nevertheless, the question often arises: which product could one still buy? None at all! Best build-up detections with the existing logs. An example (🧵):
The file we use to bypass UAC is "Akagi64.exe" - either compile it yourself from the UACME repository or download it (at your own risk) from a public source. Use the upload task from #Covenant to upload the binary to the target host (given ofc that we already have a shell).