OWA Breach detection script

Posted on : by : Lion

I made a quick an dirty detection script within incident response that searches a bit deeper for LSASS dumps and other artefacts from attackers.

It is kinda quick and dirty so use at youre own risk.
It had a detection for Exchange path installed however i dont use it anymore. Ignore it and just choose C:\Temp\

Command Line Arguments:
–fileTypeMustMatch Enforces that all checks are only performed if the expected file type (Executable, Driver, MEMDump is matched)
–fileSizeCheck Checks if a given file can be what we want based on predefined sizes for given type.
–customHashValuesFile Takes a list of custom SHA-1 OR SHA-256 hash values and searches either in basic or in folder mode for these hashes

Download Source Code:
OWA_Exploitation_Detector-File-Sign_src.zip
Download Build / Executable:
Build.zip

Latest update:
Not locking exchange files anymore – previous version might create race conditions.

Screenshot:
Exchange Breach detection
Exchange Breach detection

Company Reviews

Leave a Reply

Your email address will not be published. Required fields are marked *