[metadata] creation_date = "2023/07/14" integration = ["windows"] maturity = "production" updated_date = "2026/02/09" [rule] author = ["Elastic"] building_block_type = "default" description = """ Identifies the use of Cmdlets and methods related to Microsoft Exchange Transport Agents install. Adversaries may leverage malicious Microsoft Exchange Transport Agents to execute tasks in response to adversary-defined criteria, establishing persistence. """ from = "now-119m" index = ["winlogbeat-*", "logs-windows.powershell*"] interval = "60m" language = "kuery" license = "Elastic License v2" name = "Deprecated - Microsoft Exchange Transport Agent Install Script" risk_score = 21 rule_id = "846fe13f-6772-4c83-bd39-9d16d4ad1a81" setup = """## Setup PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104). Setup instructions: https://ela.st/powershell-logging-setup """ severity = "low" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Persistence", "Data Source: PowerShell Logs", "Rule Type: BBR", ] timestamp_override = "event.ingested" type = "query" query = ''' event.category: "process" and host.os.type:windows and powershell.file.script_block_text : ( ( "Install-TransportAgent" or "Enable-TransportAgent" ) ) and not user.id : "S-1-5-18" and not powershell.file.script_block_text : ( "'Install-TransportAgent', 'Invoke-MonitoringProbe', 'Mount-Database', 'Move-ActiveMailboxDatabase'," or "'Enable-TransportAgent', 'Enable-TransportRule', 'Export-ActiveSyncLog', 'Export-AutoDiscoverConfig'," or ("scriptCmd.GetSteppablePipeline" and "ForwardHelpTargetName Install-TransportAgent") ) ''' [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Roaming\\\\Microsoft\\\\Exchange\\\\RemotePowerShell\\\\*" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Windows\\\\TEMP\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.filters]] [rule.filters.meta] negate = true [rule.filters.query.wildcard."file.path"] case_insensitive = true value = "?:\\\\Users\\\\*\\\\AppData\\\\Local\\\\Temp\\\\*\\\\tmp_????????.???\\\\tmp_????????.???.ps?1" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1505" name = "Server Software Component" reference = "https://attack.mitre.org/techniques/T1505/" [[rule.threat.technique.subtechnique]] id = "T1505.002" name = "Transport Agent" reference = "https://attack.mitre.org/techniques/T1505/002/" [rule.threat.tactic] id = "TA0003" name = "Persistence" reference = "https://attack.mitre.org/tactics/TA0003/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"