Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Sigma rule (View on GitHub)
1title: Mailbox Export to Exchange Webserver
2id: 516376b4-05cd-4122-bae0-ad7641c38d48
3status: test
4description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
5references:
6 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
7author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
8date: 2021/08/09
9modified: 2023/04/30
10tags:
11 - attack.persistence
12 - attack.t1505.003
13logsource:
14 service: msexchange-management
15 product: windows
16detection:
17 export_command:
18 '|all':
19 - 'New-MailboxExportRequest'
20 - ' -Mailbox '
21 export_params:
22 - '-FilePath "\\\\' # We care about any share location.
23 - '.aspx'
24 role_assignment:
25 '|all':
26 - 'New-ManagementRoleAssignment'
27 - ' -Role "Mailbox Import Export"'
28 - ' -User '
29 condition: (export_command and export_params) or role_assignment
30falsepositives:
31 - Unlikely
32level: critical
References
Related rules
- Suspicious Child Process Of SQL Server
- Exchange Webshell creation
- Suspicious Process By Web Server Process
- Chopper Webshell Process Pattern
- Webshell Detection With Command Line Keywords