Suspicious ASPX File Drop by Exchange
Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
Sigma rule (View on GitHub)
1title: Suspicious ASPX File Drop by Exchange
2id: bd1212e5-78da-431e-95fa-c58e3237a8e6
3related:
4 - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
5 type: similar
6status: test
7description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
8references:
9 - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
10 - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
11 - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
12author: Florian Roth (Nextron Systems), MSTI (query, idea)
13date: 2022-10-01
14tags:
15 - attack.persistence
16 - attack.t1505.003
17logsource:
18 product: windows
19 category: file_event
20detection:
21 selection:
22 Image|endswith: '\w3wp.exe'
23 CommandLine|contains: 'MSExchange'
24 TargetFilename|contains:
25 - 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
26 - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
27 selection_types:
28 TargetFilename|endswith:
29 - '.aspx'
30 - '.asp'
31 - '.ashx'
32 condition: all of selection*
33falsepositives:
34 - Unknown
35level: high
References
Related rules
- Antivirus Web Shell Detection
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Certificate Request Export to Exchange Webserver
- Chopper Webshell Process Pattern
- DEWMODE Webshell Access