WMI Backdoor Exchange Transport Agent

Detects a WMI backdoor in Exchange Transport Agents via WMI event filters

Sigma rule (View on GitHub)

 1title: WMI Backdoor Exchange Transport Agent
 2id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
 3status: test
 4description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
 5references:
 6    - https://twitter.com/cglyer/status/1182389676876980224
 7    - https://twitter.com/cglyer/status/1182391019633029120
 8author: Florian Roth (Nextron Systems)
 9date: 2019-10-11
10modified: 2023-02-08
11tags:
12    - attack.persistence
13    - attack.t1546.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\EdgeTransport.exe'
20    filter_conhost:
21        Image: 'C:\Windows\System32\conhost.exe'
22    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
23        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
24        Image|endswith: '\Bin\OleConverter.exe'
25    condition: selection and not 1 of filter_*
26falsepositives:
27    - Unknown
28level: critical

References

Related rules

to-top