Here we can see that Exchange has been upgraded to CU23.Ĭommands that were ran in Exchange PowerShell will be logged in the following location: C:\Program Files\Microsoft\Exchange Server\V15\Logging\CmdletInfra\LocalPowerShell\Cmdlet. – Exchange has been upgraded to version. This means that on this date, we saw that Exchange Server 2016 CU12 was installed. – Exchange was installed which contains a specific version. The file contains information about the status of the prerequisite and system readiness checks before installation starts, the application installation progress, and the configuration changes that are made to the system. The Setup log tracks the progress of every task during the Exchange installation and configuration. By default, the Exchange setup logs are located at: C:\ExchangeSetupLogs. However, this time we are initiating a POST request. The two lines that I’ve marked in highlight is the Webshell activity. Let’s take a quick example of an GET request that was made by an attacker. #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken #Software: Microsoft Internet Information Services 10.0 This how the structure of the IIS log looks like with the all the fields. It also includes basic items such as IP and username, request date and time, service status and number of bytes received, as well as detailed items of target files. Both of these IIS log files contain all the GET and POST requests that are made. IIS logs are by default stored at the following location: C:\inetpub\logs\LogFiles and come with two folders. IIS logs can play a huge role in finding these suspicious activities. From hunting down ProxyLogon to Webshell activities.
One of the useful logs on an Exchange server are the IIS logs. Not all logs are useful, so I’ve only picked the one’s that I’m aware of and believe are useful. For each log, I’ll try to explain what we can achieve with it. This will be a high-level summary of the different logs that can be found on an On-Premises Exchange server, which can be useful during an IR.
0 kommentar(er)
