Built off the open source project Osquery
Description: This query looks for suspected webshells in the locations they are commonly located, while filtering out the legitimate files that may sit in those paths. Updated with additional file paths to include user paths and programdata locations.
What The Data Shows: This query is helpful in running a quick scan to find potential hosts compromised with webshells. May need tweaked to location of exchange server depending where installed.
SQL: SELECT path, datetime(atime,"unixepoch","localtime") as "Last Accessed", datetime(mtime,"unixepoch","localtime") as "Last Modified", datetime(ctime,"unixepoch","localtime") as "Created" FROM file where path like "C:\inetpub\wwwroot\aspnet_client\%.as%" or path like "c:\inetpub\wwwroot\aspnet_client\system_web\%.as%" or path like "C:\Users\All Users\COM\%" or path like "C:\Users\All Users\COM1\%" or path like "C:\Users\All Users\CON\%" or path like "C:\Users\All Users\WHO\%" or path like "C:\Users\All Users\XYZ\%" or path like "C:\Users\All Users\ZOO\%" or path like "C:\Users\All Users\ZING\%" or path like "C:\programdata\COM\%" or path like "C:\programdata\COM1\%" or path like "C:\programdata\CON\%" or path like "C:\programdata\WHO\%" or path like "C:\programdata\XYZ\%" or path like "C:\programdata\ZOO\%" or path like "C:\programdata\ZING\%" or path like "C:\program files\microsoft\exchange server%\%\FrontEnd\HttpProxy\owa\auth\Current\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\Current\%\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\%\%.as%" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\ecp\auth\%.as%" AND path NOT like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\ecp\auth\TimeoutLog%.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\%.as%" AND NOT (path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\errorFE.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\ExpiredPassword.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\frowny.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\logoff.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\logon.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\RedirSuiteServiceProxy.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\signout.aspx" or path like "C:\program files\microsoft\exchange server%\v%\FrontEnd\HttpProxy\owa\auth\SvmFeedback.aspx");
> Requirement: Tests successful.