Exchange Set OabVirtualDirectory ExternalUrl Property
Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
Sigma rule (View on GitHub)
1title: Exchange Set OabVirtualDirectory ExternalUrl Property
2id: 9db37458-4df2-46a5-95ab-307e7f29e675
3status: test
4description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
5references:
6 - https://twitter.com/OTR_Community/status/1371053369071132675
7author: Jose Rodriguez @Cyb3rPandaH
8date: 2021-03-15
9modified: 2023-01-23
10tags:
11 - attack.persistence
12 - attack.t1505.003
13logsource:
14 product: windows
15 service: msexchange-management
16detection:
17 keywords:
18 '|all':
19 - 'Set-OabVirtualDirectory'
20 - 'ExternalUrl'
21 - 'Page_Load'
22 - 'script'
23 condition: keywords
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Antivirus Web Shell Detection
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access