Suspicious ASPX File Drop by Exchange

calendar Oct 17, 2023 · attack.persistence attack.t1505.003  ·
Share on: linkedin copy

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Sigma rule (View on GitHub)

 1title: Suspicious ASPX File Drop by Exchange
 2id: bd1212e5-78da-431e-95fa-c58e3237a8e6
 3related:
 4    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
 5      type: similar
 6status: test
 7description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
 8references:
 9    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
10    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
11    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
12author: Florian Roth (Nextron Systems), MSTI (query, idea)
13date: 2022/10/01
14tags:
15    - attack.persistence
16    - attack.t1505.003
17logsource:
18    product: windows
19    category: file_event
20detection:
21    selection:
22        Image|endswith: '\w3wp.exe'
23        CommandLine|contains: 'MSExchange'
24        TargetFilename|contains:
25            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
26            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
27    selection_types:
28        TargetFilename|endswith:
29            - '.aspx'
30            - '.asp'
31            - '.ashx'
32    condition: all of selection*
33falsepositives:
34    - Unknown
35level: high

References

Related rules

to-top