Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0072: OwaAuth

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

EnterpriseS0072MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OwaAuth matters because it is described by ATT&CK as a web shell and credential stealer deployed to Microsoft Exchange servers. For leaders, the business issue is not just malware on a server; it is potential persistent access on a critical email platform where credentials, communications, and downstream access decisions often converge.

Executive priority

Treat this as a high-value email-infrastructure risk scenario. Security leaders should ask whether Exchange/IIS servers have current visibility for unauthorized web content, malicious IIS components, credential theft indicators, and suspicious web traffic. The priority is validating resilience around identity exposure, incident response readiness for compromised mail infrastructure, and audit evidence that internet-facing Windows server changes are controlled and monitored.

Technical view

ATT&CK lists OwaAuth for Windows and describes it as a Microsoft Exchange web shell and credential stealer, with no official detection text provided. Relationship context links it to web shell persistence, IIS components, keylogging, file and directory discovery, timestomping, web-protocol command and control, matching legitimate resource names or locations, and custom archiving. SOC and IR teams should validate coverage on Exchange/IIS hosts for unexpected files or DLLs, changes in IIS configuration, suspicious OWA/HTTP(S) request patterns, anomalous file timestamps, credential-access behavior, file enumeration, and data staging before exfiltration.

Likely telemetry

  • Windows endpoint telemetry from Exchange/IIS servers, including process, file, module/DLL, and command activity
  • IIS and Exchange/OWA web access logs
  • IIS configuration and component inventory, including ISAPI extensions or filters where applicable
  • File integrity and metadata evidence for web directories and Exchange/IIS application paths
  • Authentication logs for OWA, Windows, and related identity systems

Detection direction

  • Because ATT&CK provides no official detection guidance for OwaAuth, start by validating local telemetry coverage on Exchange/IIS servers rather than assuming tool coverage.
  • Monitor for new or modified web-accessible files, suspicious IIS components, and resources named or placed to resemble legitimate Exchange/IIS content.
  • Correlate unusual OWA/IIS requests with host-side file writes, module loads, process execution, or authentication anomalies.
  • Look for timestamp inconsistencies or file metadata anomalies that may indicate timestomping, especially around web directories and IIS component locations.
  • Tune detections to account for legitimate Exchange patching, administrator maintenance, and approved web application changes to reduce false positives.

Mitigation priorities

  • Prioritize hardening and change control for internet-facing Microsoft Exchange and IIS servers.
  • Restrict write access to web directories and IIS component locations to authorized administrators and deployment processes.
  • Maintain inventory and integrity monitoring for Exchange/IIS files and components so unauthorized additions are reviewable.
  • Ensure authentication monitoring and credential reset procedures are ready for incidents involving credential-stealing malware on mail infrastructure.
  • Retain IIS, Exchange, Windows, EDR, and network logs long enough to support investigation of web shell persistence and credential access.
Analyst notes and limits

The strongest decision value is to use this object as a validation scenario for Exchange/IIS visibility and response readiness. The supplied ATT&CK description associates OwaAuth with Threat Group-3390 and states it appears to be exclusively used by that group, but this take does not infer current activity or customer exposure. Relationship context expands the likely behaviors defenders should check, especially persistence through web shells/IIS components and stealth through naming/location and timestamp manipulation.

The official object has no ATT&CK detection text, no specified tactics on the malware object, and only one cited external intelligence reference. Local environment evidence is required to determine exposure, detection coverage, and whether any observed Exchange/IIS activity is malicious or authorized.

Official MITRE ATT&CK definition

OwaAuth

OwaAuth is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by Threat Group-3390. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1505.003 Web Shell Sub-technique

OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.CitationDell TG-3390
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

OwaAuth uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\; the malicious file by the same name is saved in %ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\.CitationDell TG-3390
Enterprise T1056.001 Keylogging Sub-technique

OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.CitationDell TG-3390
Enterprise T1083 File and Directory Discovery

OwaAuth has a command to list its directory and logical drives.CitationDell TG-3390
Enterprise T1070.006 Timestomp Sub-technique

OwaAuth has a command to timestop a file or directory.CitationDell TG-3390
Enterprise T1560.003 Archive via Custom Method Sub-technique

OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.CitationDell TG-3390
Enterprise T1505.004 IIS Components Sub-technique

OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL.CitationDell TG-3390
Enterprise T1071.001 Web Protocols Sub-technique

OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.CitationDell TG-3390
Relationship explorer

All related ATT&CK context

uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1070.006: Timestomp Enterprise uses · Technique T1560.003: Archive via Custom Method Enterprise uses · Technique T1505.004: IIS Components Enterprise uses · Technique T1071.001: Web Protocols Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
1f2d81e0d02a9492...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 1f2d81e0d02a…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Dell TG-3390

    Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

    Open source URL
  2. [2]
    mitre-attack S0072
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use