technion/ExchangeIntegrity.ps1

## ExchangeIntegrity.ps1
<#

  Exchange IIS Server Integrity Check
  Identify common webshells and backdoors associated with compromises


  Usage:
  Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
  Write-IntegrityFile [ -hashfile "filename.json" ]

  Check consistency of hash list
  Checkpoint-IntegrityFile [ -hashfile "filename.json" ]

  All commands accept -Verbose flag for additional output
#>

Set-StrictMode -Version 2
$ErrorActionPreference = 'Stop'

function Build-HashList {

    $directories = @()
    $directories += "$($env:exchangeinstallpath)/Frontend"
    $directories += (Get-WebFilePath 'IIS:\Sites\Default Web Site\aspnet_client').Fullname
    # If your environment includes any additional paths for consideration they may be added here

    $hashlist = @()

    foreach($directory in $directories) {
        $aspxfiles = Get-ChildItem -Path "$directory" -Filter *.aspx -Recurse
        foreach($aspxfile in $aspxfiles) {
            $hashlist += @{
                File = $aspxfile.Fullname
                Hash = (Get-FileHash -Algorithm SHA384 $aspxfile.Fullname).Hash
            }
        }
    }

    return $hashlist

}

function Write-IntegrityFile {
    param(
    [Parameter(Mandatory = $false)]
    [String]$hashfile = ".\aspxhashes.json"
    )

    $hashlist = Build-HashList | ConvertTo-Json
    Set-Content -Path $hashfile -Value $hashlist
    Write-Verbose "Written integrity list to $hashfile"
}

function Checkpoint-IntegrityFile {
    param(
    [Parameter(Mandatory = $false)]
    [String]$hashfile = ".\aspxhashes.json"
    )

    $hashlist = Build-HashList | ConvertTo-Json | ConvertFrom-Json # Round trip ensures the same data format
    $expected = Get-Content -Path $hashfile | ConvertFrom-Json
    $diff = Compare-Object -ReferenceObject $expected -DifferenceObject $hashlist -Property Hash,File | Select-Object File -Unique
    if ($diff) {
        Write-Output "Unauthorised web application found: $($diff.File)"
    } else {
        Write-Verbose "No unauthorized web applications found"
    }
}
	<#

	Exchange IIS Server Integrity Check
	Identify common webshells and backdoors associated with compromises


	Usage:
	Prepare a hash list. Note this may need to be updated after Microsoft Exchange updates
	Write-IntegrityFile [ -hashfile "filename.json" ]

	Check consistency of hash list
	Checkpoint-IntegrityFile [ -hashfile "filename.json" ]

	All commands accept -Verbose flag for additional output
	#>

	Set-StrictMode -Version 2
	$ErrorActionPreference = 'Stop'

	function Build-HashList {

	$directories = @()
	$directories += "$($env:exchangeinstallpath)/Frontend"
	$directories += (Get-WebFilePath 'IIS:\Sites\Default Web Site\aspnet_client').Fullname
	# If your environment includes any additional paths for consideration they may be added here

	$hashlist = @()

	foreach($directory in $directories) {
	$aspxfiles = Get-ChildItem -Path "$directory" -Filter *.aspx -Recurse
	foreach($aspxfile in $aspxfiles) {
	$hashlist += @{
	File = $aspxfile.Fullname
	Hash = (Get-FileHash -Algorithm SHA384 $aspxfile.Fullname).Hash
	}
	}
	}

	return $hashlist

	}

	function Write-IntegrityFile {
	param(
	[Parameter(Mandatory = $false)]
	[String]$hashfile = ".\aspxhashes.json"
	)

	$hashlist = Build-HashList \| ConvertTo-Json
	Set-Content -Path $hashfile -Value $hashlist
	Write-Verbose "Written integrity list to $hashfile"
	}

	function Checkpoint-IntegrityFile {
	param(
	[Parameter(Mandatory = $false)]
	[String]$hashfile = ".\aspxhashes.json"
	)

	$hashlist = Build-HashList \| ConvertTo-Json \| ConvertFrom-Json # Round trip ensures the same data format
	$expected = Get-Content -Path $hashfile \| ConvertFrom-Json
	$diff = Compare-Object -ReferenceObject $expected -DifferenceObject $hashlist -Property Hash,File \| Select-Object File -Unique
	if ($diff) {
	Write-Output "Unauthorised web application found: $($diff.File)"
	} else {
	Write-Verbose "No unauthorized web applications found"
	}
	}