Certificate Request Export to Exchange Webserver
Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
Sigma rule (View on GitHub)
1title: Certificate Request Export to Exchange Webserver
2id: b7bc7038-638b-4ffd-880c-292c692209ef
3status: test
4description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
5references:
6 - https://twitter.com/GossiTheDog/status/1429175908905127938
7author: Max Altgelt (Nextron Systems)
8date: 2021-08-23
9modified: 2023-01-23
10tags:
11 - attack.persistence
12 - attack.t1505.003
13logsource:
14 service: msexchange-management
15 product: windows
16detection:
17 keywords_export_command:
18 '|all':
19 - 'New-ExchangeCertificate'
20 - ' -GenerateRequest'
21 - ' -BinaryEncoded'
22 - ' -RequestFile'
23 keywords_export_params:
24 - '\\\\localhost\\C$'
25 - '\\\\127.0.0.1\\C$'
26 - 'C:\\inetpub'
27 - '.aspx'
28 condition: keywords_export_command and keywords_export_params
29falsepositives:
30 - Unlikely
31level: critical
References
Related rules
- Antivirus Web Shell Detection
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access
- Exchange Set OabVirtualDirectory ExternalUrl Property