36 lines
881 B
YAML
36 lines
881 B
YAML
|
|
title: Certificate Request Export to Exchange Webserver
|
|
author: Max Altgelt
|
|
date: 2021/08/23
|
|
description: Detects a write of an Exchange CSR to an untypical directory or with
|
|
aspx name suffix which can be used to place a webshell
|
|
detection:
|
|
SELECTION_1:
|
|
- New-ExchangeCertificate
|
|
SELECTION_2:
|
|
- ' -GenerateRequest'
|
|
SELECTION_3:
|
|
- ' -BinaryEncoded'
|
|
SELECTION_4:
|
|
- ' -RequestFile'
|
|
SELECTION_5:
|
|
- \\\\localhost\\C$
|
|
- \\\\127.0.0.1\\C$
|
|
- C:\\inetpub
|
|
- .aspx
|
|
condition: ((SELECTION_1 and SELECTION_2 and SELECTION_3 and SELECTION_4) and (SELECTION_5))
|
|
falsepositives:
|
|
- unlikely
|
|
id: b7bc7038-638b-4ffd-880c-292c692209ef
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
references:
|
|
- https://twitter.com/GossiTheDog/status/1429175908905127938
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
ruletype: SIGMA
|