Failed MSExchange Transport Agent Installation
Detects a failed installation of a Exchange Transport Agent
Sigma rule (View on GitHub)
1title: Failed MSExchange Transport Agent Installation
2id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
3status: test
4description: Detects a failed installation of a Exchange Transport Agent
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
7author: Tobias Michalski (Nextron Systems)
8date: 2021-06-08
9modified: 2022-07-12
10tags:
11 - attack.persistence
12 - attack.t1505.002
13logsource:
14 service: msexchange-management
15 product: windows
16 # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
17detection:
18 selection:
19 EventID: 6
20 Data|contains: 'Install-TransportAgent'
21 condition: selection
22fields:
23 - AssemblyPath
24falsepositives:
25 - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
26level: high
References
Related rules
- MSExchange Transport Agent Installation
- MSExchange Transport Agent Installation - Builtin
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain