MSExchange Transport Agent Installation
Detects the Installation of a Exchange Transport Agent
Sigma rule (View on GitHub)
1title: MSExchange Transport Agent Installation
2id: 83809e84-4475-4b69-bc3e-4aad8568612f
3related:
4 - id: 83809e84-4475-4b69-bc3e-4aad8568612f
5 type: similar
6status: test
7description: Detects the Installation of a Exchange Transport Agent
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=7
10author: Tobias Michalski (Nextron Systems)
11date: 2021-06-08
12modified: 2022-10-09
13tags:
14 - attack.persistence
15 - attack.t1505.002
16logsource:
17 product: windows
18 category: process_creation
19detection:
20 selection:
21 CommandLine|contains: 'Install-TransportAgent'
22 condition: selection
23fields:
24 - AssemblyPath
25falsepositives:
26 - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
27level: medium
References
-
Microsoft Exchange and Outlook are sufficient parts of almost any corporate infrastructure, regardless of its size. MS Exchange Servers are desired targ…
Read More
Related rules
- Failed MSExchange Transport Agent Installation
- MSExchange Transport Agent Installation - Builtin
- AWS ECS Task Definition That Queries The Credential Endpoint
- AWS ElastiCache Security Group Created
- Abuse of Service Permissions to Hide Services Via Set-Service