WMI Backdoor Exchange Transport Agent

 1title: WMI Backdoor Exchange Transport Agent
 2id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b
 3status: test
 4description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters
 5references:
 6    - https://twitter.com/cglyer/status/1182389676876980224
 7    - https://twitter.com/cglyer/status/1182391019633029120
 8author: Florian Roth (Nextron Systems)
 9date: 2019/10/11
10modified: 2023/02/08
11tags:
12    - attack.persistence
13    - attack.t1546.003
14logsource:
15    category: process_creation
16    product: windows
17detection:
18    selection:
19        ParentImage|endswith: '\EdgeTransport.exe'
20    filter_conhost:
21        Image: 'C:\Windows\System32\conhost.exe'
22    filter_oleconverter:  # FP also documented in https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=18
23        Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\'
24        Image|endswith: '\Bin\OleConverter.exe'
25    condition: selection and not 1 of filter_*
26falsepositives:
27    - Unknown
28level: critical

References

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

• Something went wrong, but don’t fret — let’s give it another shot.

  
  Read More

Related rules

• Suspicious Encoded Scripts in a WMI Consumer
• WMI Persistence - Security
• WMI Persistence - Script Event Consumer
• WMI Persistence - Command Line Event Consumer
• WMI Persistence - Script Event Consumer File Write