Skip to content

Instantly share code, notes, and snippets.

Created November 15, 2022 23:07
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Exchange IIS Server Integrity Check
Identify common webshells and backdoors associated with compromises
Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
Write-IntegrityFile [ -hashfile "filename.json" ]
Check consistency of hash list
Checkpoint-IntegrityFile [ -hashfile "filename.json" ]
All commands accept -Verbose flag for additional output
Set-StrictMode -Version 2
$ErrorActionPreference = 'Stop'
function Build-HashList {
$directories = @()
$directories += "$($env:exchangeinstallpath)/Frontend"
$directories += (Get-WebFilePath 'IIS:\Sites\Default Web Site\aspnet_client').Fullname
# If your environment includes any additional paths for consideration they may be added here
$hashlist = @()
foreach($directory in $directories) {
$aspxfiles = Get-ChildItem -Path "$directory" -Filter *.aspx -Recurse
foreach($aspxfile in $aspxfiles) {
$hashlist += @{
File = $aspxfile.Fullname
Hash = (Get-FileHash -Algorithm SHA384 $aspxfile.Fullname).Hash
return $hashlist
function Write-IntegrityFile {
[Parameter(Mandatory = $false)]
[String]$hashfile = ".\aspxhashes.json"
$hashlist = Build-HashList | ConvertTo-Json
Set-Content -Path $hashfile -Value $hashlist
Write-Verbose "Written integrity list to $hashfile"
function Checkpoint-IntegrityFile {
[Parameter(Mandatory = $false)]
[String]$hashfile = ".\aspxhashes.json"
$hashlist = Build-HashList | ConvertTo-Json | ConvertFrom-Json # Round trip ensures the same data format
$expected = Get-Content -Path $hashfile | ConvertFrom-Json
$diff = Compare-Object -ReferenceObject $expected -DifferenceObject $hashlist -Property Hash,File | Select-Object File -Unique
if ($diff) {
Write-Output "Unauthorised web application found: $($diff.File)"
} else {
Write-Verbose "No unauthorized web applications found"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment