Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

Sigma rule (View on GitHub)

 1title: Exchange PowerShell Snap-Ins Usage
 2id: 25676e10-2121-446e-80a4-71ff8506af47
 3status: test
 4description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
 5references:
 6    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
 7    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
 8    - https://www.intrinsec.com/apt27-analysis/
 9author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
10date: 2021-03-03
11modified: 2023-03-24
12tags:
13    - attack.execution
14    - attack.t1059.001
15    - attack.collection
16    - attack.t1114
17logsource:
18    category: process_creation
19    product: windows
20detection:
21    selection_img:
22        - Image|endswith:
23              - '\powershell.exe'
24              - '\pwsh.exe'
25        - OriginalFileName:
26              - 'PowerShell.EXE'
27              - 'pwsh.dll'
28    selection_cli:
29        CommandLine|contains: 'Add-PSSnapin'
30    selection_module:
31        CommandLine|contains:
32            - 'Microsoft.Exchange.Powershell.Snapin'
33            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
34    filter_msiexec:
35        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
36        ParentImage: 'C:\Windows\System32\msiexec.exe'
37        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
38    condition: all of selection_* and not 1 of filter_*
39falsepositives:
40    - Unknown
41level: high

References

Related rules

to-top