Suspicious MSExchangeMailboxReplication ASPX Write

calendar Aug 12, 2024 · attack.initial-access attack.t1190 attack.persistence attack.t1505.003  ·
Share on: linkedin copy

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Sigma rule (View on GitHub)

 1title: Suspicious MSExchangeMailboxReplication ASPX Write
 2id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
 3status: test
 4description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022-02-25
 9tags:
10    - attack.initial-access
11    - attack.t1190
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith: '\MSExchangeMailboxReplication.exe'
20        TargetFilename|endswith:
21            - '.aspx'
22            - '.asp'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

Related rules

to-top