Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Sigma rule (View on GitHub)
1title: Suspicious MSExchangeMailboxReplication ASPX Write
2id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
3status: test
4description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
5references:
6 - https://redcanary.com/blog/blackbyte-ransomware/
7author: Florian Roth (Nextron Systems)
8date: 2022/02/25
9tags:
10 - attack.initial_access
11 - attack.t1190
12 - attack.persistence
13 - attack.t1505.003
14logsource:
15 product: windows
16 category: file_event
17detection:
18 selection:
19 Image|endswith: '\MSExchangeMailboxReplication.exe'
20 TargetFilename|endswith:
21 - '.aspx'
22 - '.asp'
23 condition: selection
24falsepositives:
25 - Unknown
26level: high
References
Related rules
- Certificate Request Export to Exchange Webserver
- Hack Tool User Agent
- Shellshock Expression
- Suspicious Named Error
- Suspicious OpenSSH Daemon Error