title: Mailbox Export to Exchange Webserver
author: Florian Roth, Rich Warren, Christian Burkard
date: 2021/08/09
description: Detects a successful export of an Exchange mailbox to untypical directory
    or with aspx name suffix which can be used to place a webshell or the needed role
    assignment for it
detection:
    condition: (((New-MailboxExportRequest and  -Mailbox ) and (-FilePath "\\localhost\C$
        or -FilePath "\\127.0.0.1\C$ or .aspx)) or (New-ManagementRoleAssignment and  -Role
        "Mailbox Import Export" and  -User ))
falsepositives:
- unlikely
id: 516376b4-05cd-4122-bae0-ad7641c38d48
level: critical
logsource:
    product: windows
    service: msexchange-management
modified: 2021/08/11
references:
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
status: experimental
tags:
- attack.persistence
- attack.t1505.003
yml_filename: win_exchange_proxyshell_mailbox_export.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other