WMI Backdoor Exchange Transport Agent
Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
Sigma rule (View on GitHub)
1title: WMI Backdoor Exchange Transport Agent
2id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
3status: test
4description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
5references:
6 - https://twitter.com/cglyer/status/1182389676876980224
7 - https://twitter.com/cglyer/status/1182391019633029120
8author: Florian Roth (Nextron Systems)
9date: 2019-10-11
10modified: 2023-02-08
11tags:
12 - attack.persistence
13 - attack.t1546.003
14logsource:
15 category: process_creation
16 product: windows
17detection:
18 selection:
19 ParentImage|endswith: '\EdgeTransport.exe'
20 filter_conhost:
21 Image: 'C:\Windows\System32\conhost.exe'
22 filter_oleconverter: # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
23 Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
24 Image|endswith: '\Bin\OleConverter.exe'
25 condition: selection and not 1 of filter_*
26falsepositives:
27 - Unknown
28level: critical
References
Related rules
- New ActiveScriptEventConsumer Created Via Wmic.EXE
- Suspicious Encoded Scripts in a WMI Consumer
- WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load
- WMI Event Subscription
- WMI Persistence