Exchange PowerShell Snap-Ins Usage

 1title: Exchange PowerShell Snap-Ins Usage
 2id: 25676e10-2121-446e-80a4-71ff8506af47
 3status: test
 4description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
 5references:
 6    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
 7    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
 8    - https://www.intrinsec.com/apt27-analysis/
 9author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
10date: 2021/03/03
11modified: 2023/03/24
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - attack.collection
16    - attack.t1114
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\powershell.exe'
24              - '\pwsh.exe'
25        - OriginalFileName:
26              - 'PowerShell.EXE'
27              - 'pwsh.dll'
28    selection_cli:
29        CommandLine|contains: 'Add-PSSnapin'
30    selection_module:
31        CommandLine|contains:
32            - 'Microsoft.Exchange.Powershell.Snapin'
33            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
34    filter_msiexec:
35        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
36        ParentImage: 'C:\Windows\System32\msiexec.exe'
37        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
38    condition: all of selection_* and not 1 of filter_*
39falsepositives:
40    - Unknown
41level: high

References

• Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

  

  [UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]

  
  Read More

• https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

  
  Read More

• APT27 - One Year To Exfiltrate Them All: Intrusion In-Depth Analysis

  Data leak : In-depth forensic & threat intelligence analysis of the tactics, tools & procedures of an advanced and persistant attack, by the Intrinsec CERT.

  
  Read More

Related rules

• BloodHound Collection Files
• Potential DLL File Download Via PowerShell Invoke-WebRequest
• Malicious PowerShell Commandlets - PoshModule
• Malicious PowerShell Commandlets - ProcessCreation
• Malicious PowerShell Commandlets - ScriptBlock