New ActiveSyncAllowedDeviceID Added via PowerShell

calendar Nov 5, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Persistence Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: System Data Source: Microsoft Defender for Endpoint Data Source: Sysmon Data Source: SentinelOne Data Source: Crowdstrike  ·
Share on: linkedin copy

Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/12/15"
 3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
 4maturity = "production"
 5updated_date = "2024/10/31"
 6min_stack_version = "8.14.0"
 7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device.
13Adversaries may target user email to collect sensitive information.
14"""
15false_positives = ["Legitimate exchange system administration activity."]
16from = "now-9m"
17index = [
18    "logs-endpoint.events.process-*",
19    "winlogbeat-*",
20    "logs-windows.forwarded*",
21    "logs-windows.sysmon_operational-*",
22    "endgame-*",
23    "logs-system.security*",
24    "logs-m365_defender.event-*",
25    "logs-sentinel_one_cloud_funnel.*",
26    "logs-crowdstrike.fdr*",
27]
28language = "eql"
29license = "Elastic License v2"
30name = "New ActiveSyncAllowedDeviceID Added via PowerShell"
31references = [
32    "https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/",
33    "https://docs.microsoft.com/en-us/powershell/module/exchange/set-casmailbox?view=exchange-ps",
34]
35risk_score = 47
36rule_id = "ce64d965-6cb0-466d-b74f-8d2c76f47f05"
37severity = "medium"
38tags = [
39    "Domain: Endpoint",
40    "OS: Windows",
41    "Use Case: Threat Detection",
42    "Tactic: Persistence",
43    "Tactic: Execution",
44    "Data Source: Elastic Endgame",
45    "Data Source: Elastic Defend",
46    "Data Source: System",
47    "Data Source: Microsoft Defender for Endpoint",
48    "Data Source: Sysmon",
49    "Data Source: SentinelOne",
50    "Data Source: Crowdstrike",
51]
52timestamp_override = "event.ingested"
53type = "eql"
54
55query = '''
56process where host.os.type == "windows" and event.type == "start" and
57  process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*"
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1098"
65name = "Account Manipulation"
66reference = "https://attack.mitre.org/techniques/T1098/"
67[[rule.threat.technique.subtechnique]]
68id = "T1098.002"
69name = "Additional Email Delegate Permissions"
70reference = "https://attack.mitre.org/techniques/T1098/002/"
71
72
73
74[rule.threat.tactic]
75id = "TA0003"
76name = "Persistence"
77reference = "https://attack.mitre.org/tactics/TA0003/"
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1059"
82name = "Command and Scripting Interpreter"
83reference = "https://attack.mitre.org/techniques/T1059/"
84[[rule.threat.technique.subtechnique]]
85id = "T1059.001"
86name = "PowerShell"
87reference = "https://attack.mitre.org/techniques/T1059/001/"
88
89
90
91[rule.threat.tactic]
92id = "TA0002"
93name = "Execution"
94reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • Dark Halo Leverages SolarWinds Compromise to Breach Organizations

    Volexity is releasing additional research and indicators associated with compromises impacting customers of the SolarWinds Orion software platform. Volexity has also published a guide for responding to the SolarWinds breach, and how to detect, prevent, and remediate this supply chain attack. On Sunday, December 13, 2020, FireEye released a blog detailing an alleged compromise to the company SolarWinds. This compromise involved a backdoor being distributed through an update to SolarWind's Orion software product. FireEye attributed this activity to an unknown threat actor it tracks as UNC2452. Volexity has subsequently been able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo. At one particular think tank, Volexity worked three separate incidents involving Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for […]


    Read More

  • Set-CASMailbox (ExchangePowerShell)

    You need to be assigned permissions before you can run this cmdlet. Although this topic lists all parameters for the cmdlet, you may not have access to some parameters if they're not included in the permissions assigned to you. To find the permissions required to run any cmdlet or parameter in your organization, see Find the permissions required to run any Exchange cmdlet.


    Read More

Related rules

to-top