Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
Sigma rule (View on GitHub)
1title: Exchange Set OabVirtualDirectory ExternalUrl Property
2id: 9db37458-4df2-46a5-95ab-307e7f29e675
3status: test
4description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
5references:
6 - https://twitter.com/OTR_Community/status/1371053369071132675
7author: Jose Rodriguez @Cyb3rPandaH
8date: 2021/03/15
9modified: 2023/01/23
10tags:
11 - attack.persistence
12 - attack.t1505.003
13logsource:
14 product: windows
15 service: msexchange-management
16detection:
17 keywords:
18 '|all':
19 - 'Set-OabVirtualDirectory'
20 - 'ExternalUrl'
21 - 'Page_Load'
22 - 'script'
23 condition: keywords
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Webshell Usage with ManageEngine Product
- Webshell Remote Command Execution
- DNS HybridConnectionManager Service Bus
- Okta API Token Created
- Okta Admin Role Assigned to an User or Group