Notes from the IR front lines — if you have on-prem Exchange, assume compromise. Also start a plan to migrate to Microsoft 365… yesterday.
22
72
8
435
Getting past the FUD, what do you suggest orgs do? Are there any common IOCs people should look for?
1
1
Replying to @uplinc
The most common indicator we’re seeing is w3wp.exe spawning csc.exe. Look for webshells under …\Exchange Server\*\FrontEnd\HttpProxy\{owa,ecp}\*

Apr 20, 2022 · 11:55 AM UTC

1
8
1
52
Careful, csc.exe is a legitimate sub process of w3wp.exe I recommend using e.g. the free THOR Lite to detect the webshells
2
1
30