Suspicious MSExchangeMailboxReplication ASPX Write

Feb 1, 2023 · attack.initial_access attack.t1190 attack.persistence attack.t1505.003 ·

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

Sigma rule (View on GitHub)

 1title: Suspicious MSExchangeMailboxReplication ASPX Write
 2id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
 3status: test
 4description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
 5references:
 6    - https://redcanary.com/blog/blackbyte-ransomware/
 7author: Florian Roth (Nextron Systems)
 8date: 2022/02/25
 9tags:
10    - attack.initial_access
11    - attack.t1190
12    - attack.persistence
13    - attack.t1505.003
14logsource:
15    product: windows
16    category: file_event
17detection:
18    selection:
19        Image|endswith: '\MSExchangeMailboxReplication.exe'
20        TargetFilename|endswith:
21            - '.aspx'
22            - '.asp'
23    condition: selection
24falsepositives:
25    - Unknown
26level: high

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

BlackByte ransomware leverages ProxyShell Microsoft Exchange vulnerabilities for initial access and Cobalt Strike for lateral movement.

Read More

Suspicious MSExchangeMailboxReplication ASPX Write

Sigma rule (View on GitHub)

References

ProxyShell exploitation leads to BlackByte ransomware - Red Canary

Related rules