Hal Pomeranz · Apr 20, 2022 · 12:20 AM UTC

Hal Pomeranz @hal_pomeranz

20 Apr 2022

Notes from the IR front lines — if you have on-prem Exchange, assume compromise. Also start a plan to migrate to Microsoft 365… yesterday.

435

Chris Lincoln · Apr 20, 2022 · 10:27 AM UTC

Chris Lincoln @uplinc

20 Apr 2022

Getting past the FUD, what do you suggest orgs do? Are there any common IOCs people should look for?

Hal Pomeranz · Apr 20, 2022 · 11:55 AM UTC

Hal Pomeranz · Apr 20, 2022 · 11:55 AM UTC

Hal Pomeranz @hal_pomeranz

20 Apr 2022

Replying to @uplinc

The most common indicator we’re seeing is w3wp.exe spawning csc.exe. Look for webshells under …\Exchange Server\*\FrontEnd\HttpProxy\{owa,ecp}\*

Apr 20, 2022 · 11:55 AM UTC

Florian Roth · Apr 20, 2022 · 2:04 PM UTC

Florian Roth

@cyb3rops

20 Apr 2022

Careful, csc.exe is a legitimate sub process of w3wp.exe I recommend using e.g. the free THOR Lite to detect the webshells