28 lines
1022 B
YAML
28 lines
1022 B
YAML
title: Mailbox Export to Exchange Webserver
|
|
author: Florian Roth, Rich Warren, Christian Burkard
|
|
date: 2021/08/09
|
|
description: Detects a successful export of an Exchange mailbox to untypical directory
|
|
or with aspx name suffix which can be used to place a webshell or the needed role
|
|
assignment for it
|
|
detection:
|
|
condition: (((New-MailboxExportRequest and -Mailbox ) and (-FilePath "\\localhost\C$
|
|
or -FilePath "\\127.0.0.1\C$ or .aspx)) or (New-ManagementRoleAssignment and -Role
|
|
"Mailbox Import Export" and -User ))
|
|
falsepositives:
|
|
- unlikely
|
|
id: 516376b4-05cd-4122-bae0-ad7641c38d48
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
modified: 2021/08/11
|
|
references:
|
|
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
|
|
status: experimental
|
|
tags:
|
|
- attack.persistence
|
|
- attack.t1505.003
|
|
yml_filename: win_exchange_proxyshell_mailbox_export.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/other
|
|
|