WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Sigma rule (View on GitHub)
1title: WMI Backdoor Exchange Transport Agent
2id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
3status: test
4description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
5references:
6 - https://twitter.com/cglyer/status/1182389676876980224
7 - https://twitter.com/cglyer/status/1182391019633029120
8author: Florian Roth (Nextron Systems)
9date: 2019-10-11
10modified: 2023-02-08
11tags:
12 - attack.privilege-escalation
13 - attack.persistence
14 - attack.t1546.003
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\EdgeTransport.exe'
21 filter_conhost:
22 Image: 'C:\Windows\System32\conhost.exe'
23 filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
24 Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
25 Image|endswith: '\Bin\OleConverter.exe'
26 condition: selection and not 1 of filter_*
27falsepositives:
28 - Unknown
29level: critical
References
-
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Powershell WMI Persistence
- WMI Event Subscription
- WMI Persistence - Command Line Event Consumer
- WMI Persistence - Script Event Consumer File Write
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load