Hunting Webshells: Tracking TwoFace

DerbyCon 9.0 - Finish Line

Presented by: Josh Bryant, Robert Falcone
Date: Sunday September 08, 2019
Time: 12:00 - 12:45
Location: Track 3

Microsoft Exchange Servers are a high-value target for many adversaries, which makes the investigation of them during Incident Response vital. Backdoor implants in the form of webshells and IIS modules on servers are on the rise. Find out how to hunt webshells and differentiate between legitimate use and attacker activity, using default logging available on every exchange server. The presentation will feature real-world examples carried out by an adversary group using web-based backdoors to breach and maintain access to networks of targeted organizations in the Middle East.

Josh Bryant

Josh Bryant is a Director of Technical Account Management at Tanium where he helps very large enterprise customers gain high speed visibility and control over their endpoints.

Robert Falcone

Robert is a Threat Researcher with Palo Alto Networks' Unit 42 focusing on malware analysis, reverse engineering and tracking advanced threat actors.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats