Scenario: The other day an article was written by ARS Technica on a mail server attack that steals massive number of passwords. One of the symptoms is finding an unsigned OWAAuth.DLL and in some cases the file was located in a different directory.
Solution: Here is a quick way to check all of your Exchange servers to make sure all of your OWAAUTH.DLL files are signed and in the correct path:
#Build your Servers Variable $Servers = Get-exchangeserver
#Build your Auth Variable $Auth = $Servers | %{Get-childitem -path "\$_c$program filesMicrosoftExchange Serverv15" -filter owaauth.dll -recurse | Get-authenticodeSignature}
#Export your Auth Variable to read it in Excel $Auth | Export-csv C:tempAuth.csv
Ex-Shell 