Microsoft Exchange Incident Management Questionnaire

Submitted by kogardner on

The N.C. Joint Cybersecurity Task Force is seeking information from state, local and academic entities to help assess the state’s security posture in regard to the Microsoft Exchange compromise.

Information shared as part of this process will be protected from public disclosure under N.C. G.S. 132-6.1(c). Private sector entities are encouraged to report cybersecurity incidents to the department (2015-241, s. 7A.2(b); 2019-200, s. 6(e)).

For more information:

 

Indicates required field
In what county does your organization reside?
What subsector does your organization fall under?
Does your organization have a Microsoft Exchange on-premise server or use a hybrid exchange environment?

Additional Information

Which of the following versions does your organization use?
Based on the definitions listed below, please select only one option that best fits your organization’s current status?
Has your organization completed threat hunting?
Has your organization validated there are no signs of compromise to include signs of lateral movement or credential harvesting in your network using at a minimum the tools/recommendations listed below?

Minimum tools and recommendations:

  • CISA recommends investigating for signs of compromise from at least January 1st, 2021 through present
  • Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl='
  • Download and run the following tools on any exposed systems: https://github.com/microsoft/CSS-Exchange/tree/main/Security 

Note: Antivirus and simple endpoint protection services are not sufficient as standalone tools to identify potential indicators of compromise
Does your organization need assistance with threat hunting?
Does your organization need assistance with patching?
Does your organization need assistance with threat hunting?
Does your organization need assistance with remediation?
Is your organization willing to share the information listed below?

Information you would be willing to share includes:

  • Logs (Microsoft, firewall, antivirus, etc.)
  • Scanning results
  • Images (snapshots) of the compromised servers
  • Memory dumps
  • Executable malware files identified

Note: All data contained within this survey is covered by N.C.G.S. 132-6.1.(c) and is not publicly available. 
Has your organization completed patching?
Does your organization need assistance with patching?
Has your organization validated there are no signs of compromise to include signs of lateral movement or credential harvesting in your network using at a minimum the tools/recommendations listed below?

Minimum tools and recommendations:

  • CISA recommends investigating for signs of compromise from at least January 1st, 2021 through present
  • Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl='
  • Download and run the following tools on any exposed systems: https://github.com/microsoft/CSS-Exchange/tree/main/Security 

Note: Antivirus and simple endpoint protection services are not sufficient as standalone tools to identify potential indicators of compromise. 
Does your organization need assistance with threat hunting?
Did your organization patch, decommission or migrate to the cloud?
Has your organization validated there are no signs of compromise to include signs of lateral movement or credential harvesting in your network using at a minimum the tools/recommendations listed below?

Minimum tools and recommendations:

  • CISA recommends investigating for signs of compromise from at least January 1st, 2021 through present
  • Administrators should search the ECP server logs for the following string (or something similar): S:CMD=Set-OabVirtualDirectory.ExternalUrl='
  • Download and run the following tools on any exposed systems: https://github.com/microsoft/CSS-Exchange/tree/main/Security 

Note: Antivirus and simple endpoint protection services are not sufficient as standalone tools to identify potential indicators of compromise. 
Does your organization need assistance with threat hunting or remediation?
Is the Microsoft Exchange server(s) back online, active and currently providing services?
8 + 3 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.
This question is for testing whether or not you are a human