Florian Roth
08883c8e32
Rules that use the "Message" field are prone to localisation issues and should be avoided whenever possible. We can build what we call "keyword" rules in these cases and simply combine string values that are searched in the raw data as 1 of them or all of them. (see specs for details)
32 lines
1.1 KiB
YAML
32 lines
1.1 KiB
YAML
title: Mailbox Export to Exchange Webserver
|
|
id: 516376b4-05cd-4122-bae0-ad7641c38d48
|
|
status: experimental
|
|
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
|
|
references:
|
|
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
|
|
author: Florian Roth, Rich Warren, Christian Burkard
|
|
date: 2021/08/09
|
|
modified: 2021/08/11
|
|
logsource:
|
|
service: msexchange-management
|
|
product: windows
|
|
detection:
|
|
export_command:
|
|
- 'New-MailboxExportRequest'
|
|
- ' -Mailbox '
|
|
export_params:
|
|
- '-FilePath "\\localhost\C$'
|
|
- '-FilePath "\\127.0.0.1\C$'
|
|
- '.aspx'
|
|
role_assignment:
|
|
- 'New-ManagementRoleAssignment'
|
|
- ' -Role "Mailbox Import Export"'
|
|
- ' -User '
|
|
condition: (all of export_command and export_params) or all of role_assignment
|
|
falsepositives:
|
|
- unlikely
|
|
level: critical
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|