Hunting Webshells: Tracking TwoFace

Presented at DerbyCon 9.0 Finish Line (2019), Sept. 8, 2019, noon (45 minutes)

Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. The presentation will feature real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.

Presenters:

• Josh Bryant
  Josh Bryant is a Director of Technical Account Management at Tanium where he helps very large enterprise customers gain high speed visibility and control over their endpoints.
• Robert Falcone
  Robert is a Threat Researcher with Palo Alto Networks' Unit 42 focusing on malware analysis, reverse engineering and tracking advanced threat actors.

Links:

• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Hunting Webshells Tracking TwoFace Josh Bryant Robert Falcone.mp4
• https://infocon.org/cons/DerbyCon/DerbyCon 9 2019/Hunting Webshells Tracking TwoFace Josh Bryant Robert Falcone.eng.srt (subtitles)
• https://www.youtube.com/watch?v=ClBdUKMjFPs

Similar Presentations:

• TROOPERS17 (2017) / Ruler - Pivoting Through Exchange