Add/Update Exchange/Mailbox Rules

rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml

@@ -6,7 +6,7 @@ references:
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 author: Florian Roth, Rich Warren, Christian Burkard
 date: 2021/08/09
-modified: 2022/02/01
+modified: 2022/10/26
 tags:
     - attack.persistence
     - attack.t1505.003
@@ -18,14 +18,13 @@ detection:
         - 'New-MailboxExportRequest'
         - ' -Mailbox '
     export_params:
-        - '-FilePath "\\\\localhost\\C$'
-        - '-FilePath "\\\\127.0.0.1\\C$'
+        - '-FilePath "\\\\' # We care about any share location
         - '.aspx'
     role_assignment:
         - 'New-ManagementRoleAssignment'
         - ' -Role "Mailbox Import Export"'
         - ' -User '
-    condition: (all of export_command and export_params) or all of role_assignment
+    condition: all of export_* or role_assignment
 falsepositives:
     - Unlikely
 level: critical

rules/windows/file/file_delete/file_delete_win_exchange_powershell_logs.yml

@@ -0,0 +1,22 @@
+title: Exchange PowerShell Cmdlet History Deleted
+id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
+status: experimental
+description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
+references:
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.defense_evasion
+    - attack.t1070
+logsource:
+    category: file_delete
+    product: windows
+detection:
+    selection:
+        FileName|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
+        FileName|contains: '_Cmdlet_'
+    condition: selection
+falsepositives:
+    - Possible FP during log rotation
+level: high

rules/windows/powershell/powershell_script/posh_ps_exchange_mailbox_smpt_forwarding_rule.yml

@@ -0,0 +1,24 @@
+title: Suspicious PowerShell Mailbox SMTP Forward Rule
+id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
+status: experimental
+description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
+references:
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.exfiltration
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Set-Mailbox '
+            - ' -DeliverToMailboxAndForward '
+            - ' -ForwardingSmtpAddress '
+    condition: selection
+falsepositives:
+    - Legitimate usage of the cmdlet to forward emails
+level: medium

rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml

@@ -0,0 +1,33 @@
+title: Suspicious PowerShell Mailbox Export to Share - PS
+id: 4a241dea-235b-4a7e-8d76-50d817b146c4
+related:
+    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
+      type: derived
+status: experimental
+description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
+references:
+    - https://youtu.be/5mqid-7zp8k?t=2481
+    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.exfiltration
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'New-MailboxExportRequest'
+            - ' -Mailbox '
+            - ' -FilePath \\\\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+fields:
+    - CommandLine
+    - ParentCommandLine

rules/windows/process_creation/proc_creation_win_mailboxexport_share.yml

@@ -1,23 +1,26 @@
 title: Suspicious PowerShell Mailbox Export to Share
 id: 889719ef-dd62-43df-86c3-768fb08dc7c0
 status: experimental
-description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
+description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
 references:
     - https://youtu.be/5mqid-7zp8k?t=2481
     - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
     - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Florian Roth
 date: 2021/08/07
-modified: 2022/02/01
+modified: 2022/10/26
+tags:
+    - attack.exfiltration
 logsource:
     category: process_creation
     product: windows
 detection:
     selection:
         CommandLine|contains|all:
-            - 'New-MailboxExport'
+            - 'New-MailboxExportRequest'
             - ' -Mailbox '
-            - ' -FilePath \\\\127.0.0.1\\C$'
+            - ' -FilePath \\\\'
     condition: selection
 falsepositives:
     - Unknown
@@ -25,8 +28,3 @@ level: critical
 fields:
     - CommandLine
     - ParentCommandLine
-tags:
-   - attack.persistence  
-   - attack.t1505.003
-   - attack.resource_development
-   - attack.t1584.006