YARA Guidance Projects
Guidance for mitigation web shells. #nsacyberProject mention: Mass exploitation of on-prem Exchange servers :( | reddit.com/r/msp | 2021-03-03
There is likely a Cobalt Strike BEACON acting as C2 now even if you've patched. I recommend full incident response mode, probably want to isolate the server. Run an integrity check against a known good config with WinDiff or NSA's dirChecker to find other anomolies. https://github.com/nsacyber/Mitigating-Web-Shells
Are you hiring? Post a new remote job listing for free.