Failed MSExchange Transport Agent Installation
Detects a failed installation of a Exchange Transport Agent
Sigma rule (View on GitHub)
1title: Failed MSExchange Transport Agent Installation
2id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
3status: test
4description: Detects a failed installation of a Exchange Transport Agent
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
7author: Tobias Michalski (Nextron Systems)
8date: 2021/06/08
9modified: 2022/07/12
10tags:
11 - attack.persistence
12 - attack.t1505.002
13logsource:
14 service: msexchange-management
15 product: windows
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection:
19 EventID: 6
20 Data|contains: 'Install-TransportAgent'
21 condition: selection
22fields:
23 - AssemblyPath
24falsepositives:
25 - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
26level: high
References
-
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired target for attackers, since in case of successful exploitation of vulnerabilities or incorrect settings of MS Exchange components, attackers can gain access to emails of the company, increase their privileges to the domain administrator, and also perform phishing mailing on behalf of the organization's representatives. Moreover, attackers have a number of original ways to obtain persistence in the system. The speaker will consider all these methods and demonstrate approaches to obtain persistence using these methods and detect such presence.
Read More
Related rules
- MSExchange Transport Agent Installation
- MSExchange Transport Agent Installation - Builtin
- Abuse of Service Permissions to Hide Services Via Set-Service
- Abuse of Service Permissions to Hide Services Via Set-Service - PS
- Account Tampering - Suspicious Failed Logon Reasons