Last active
January 10, 2022 11:57
-
-
Save shiftybitshiftr/b36f9c8da00c87cdb72e15831562d3e3 to your computer and use it in GitHub Desktop.
Checks for known bad hashes and other log indicators listed in Microsoft/Volexity blog posts
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Check this folder for asp files C:\inetpub\wwwroot\aspnet_client\system_web | |
# Using SHA256 for file hash checking | |
# Enable following line to see the progress step through this scripts. Not required for automation. | |
# $VerbosePreference = "Continue" | |
# "-RunAsAdministrator" Required - admin privileges needed to read log paths | |
$KnownBadSHA256 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0","097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e","2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1","65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5","511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1","4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea","811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d","1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944" | |
write-verbose "Checking C:\inetpub\wwwroot\aspnet_client for extra files" | |
$enumfiles = Get-ChildItem -Path C:\inetpub\wwwroot\aspnet_client -Recurse -File | |
foreach($file in $enumfiles){ | |
write-host $file.DirectoryName | |
write-host $file.FullName | |
write-host $file.Name | |
$filehash = Get-FileHash -Path $file.FullName -Algorithm SHA256 | |
$filehash.Hash | |
if($KnownBadSHA256.Contains($filehash.Hash)) | |
{ | |
write-host "Bad hash detected - ASSUME BREACH" -ForegroundColor Red | |
} | |
} | |
# Shouldn't be any events | |
Write-verbose "Checking IIS-W3SVC-WP event logs" | |
Get-EventLog -LogName Application -Source IIS-W3SVC-WP -InstanceId 2303 | |
Write-verbose "Checking IIS-APPHOSTSVC event logs" | |
Get-EventLog -LogName Application -Source IIS-APPHOSTSVC -InstanceId 9009 | |
# This log should be empty | |
Write-verbose "Checking OABGenerator logs" | |
findstr /snip /c:"Download failed and temporary file" "%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog\*.log" | |
# Shouldn't be any events | |
Write-verbose "Checking Unified Message event logs" | |
Get-EventLog -LogName Application -Source "MSExchange Unified Messaging" -EntryType Error | Where-Object { $_.Message -like "*System.InvalidCastException*" } | |
# This log should be empty | |
Write-verbose "Checking for Set-VirtualDirectory indicators" | |
Select-String -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\ECP\Server\*.log" -Pattern 'Set-.+VirtualDirectory' | |
# Checks all the IIS logs looking for POST requests to /owa/auth/Current/themes/resources/ | |
Write-verbose "Checking for theme resource indicators" | |
$parse1 = Select-String -Path "C:\inetpub\logs\LogFiles\W3SVC1\*.log" -Pattern 'POST /owa/auth/Current/themes/resources/' | |
foreach($line in $parse1){ | |
write-host "This event/log entry was unexpected. Investigate." -ForegroundColor DarkRed | |
write-host $line -ForegroundColor DarkYellow | |
} | |
# Import-Csv -Path (Get-ChildItem -Recurse -Path "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" -Filter '*.log').FullName | Where-Object { $_.AuthenticatedUser -eq '' -and $_.AnchorMailbox -like 'ServerInfo~*/*' } | select DateTime, AnchorMailbox | |
# The above is the oneliner from the Microsoft Blog, if that doesn't work try this | |
$files = Get-ChildItem -Recurse "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy\*.log" | |
foreach($file in $files) | |
{ | |
# read the file contents into memory | |
write-host "Reading files" | |
write-host $file.Name | |
$readfile = Get-Content -Path $file | |
if($readfile -like "*ServerInfo~*/*"){ | |
write-host "SUSPICIOUS LOG DETECTED" -foregroundcolour red | |
write-host "Investigate further. Check if the AuthenticatedUser is '' / NULL and if so its a sign of attempted exploit." | |
write-host $readfile | |
read-host -Prompt "Press enter to continue" | |
} | |
} | |
# Look for aspx files with weird names or recent write times/date modified | |
Get-ChildItem -Path C:\inetpub\wwwroot\aspnet_client\ -Recurse -Filter "*.aspx" | |
# Look for aspx files (Default names are "errorFE.aspx", "ExpiredPassword.aspx","frowny.aspex","logoff.aspx","logon.aspx","OutlookCN.aspx","RedirSuiteServiceProxy.aspx", "signout.aspx") | |
Get-ChildItem -Path "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\" -Recurse -Filter "*.aspx*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment