Suspicious File Drop by Exchange

calendar Aug 12, 2024 · attack.persistence attack.t1190 attack.initial-access attack.t1505.003  ·
Share on: linkedin copy

Detects suspicious file type dropped by an Exchange component in IIS

Sigma rule (View on GitHub)

 1title: Suspicious File Drop by Exchange
 2id: 6b269392-9eba-40b5-acb6-55c882b20ba6
 3related:
 4    - id: bd1212e5-78da-431e-95fa-c58e3237a8e6
 5      type: similar
 6status: test
 7description: Detects suspicious file type dropped by an Exchange component in IIS
 8references:
 9    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
10    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
11    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
12author: Florian Roth (Nextron Systems)
13date: 2022-10-04
14tags:
15    - attack.persistence
16    - attack.t1190
17    - attack.initial-access
18    - attack.t1505.003
19logsource:
20    product: windows
21    category: file_event
22detection:
23    selection:
24        Image|endswith: '\w3wp.exe'
25        CommandLine|contains: 'MSExchange'
26    selection_types:
27        TargetFilename|endswith:
28            - '.aspx'
29            - '.asp'
30            - '.ashx'
31            - '.ps1'
32            - '.bat'
33            - '.exe'
34            - '.dll'
35            - '.vbs'
36    condition: all of selection*
37falsepositives:
38    - Unknown
39level: medium

References

Related rules

to-top