Detection: Windows MSExchange Management Mailbox Cmdlet Usage

Updated Date: 2024-09-30 ID: 396de86f-25e7-4b0e-be09-a330be35249d Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.

Search

1`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") 
2| stats count min(_time) as firstTime max(_time) as lastTime by host Message 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| rename host AS dest 
6| `windows_msexchange_management_mailbox_cmdlet_usage_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
msexchange_management	`sourcetype=MSExchange:management`
windows_msexchange_management_mailbox_cmdlet_usage_filter	`search *`

windows_msexchange_management_mailbox_cmdlet_usage_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1059	Command and Scripting Interpreter	Execution
T1059.001	PowerShell	Execution

KillChainPhase.INSTALLATION

NistCategory.DE_AE

Cis18Value.CIS_10

APT19

APT32

APT37

APT39

Dragonfly

FIN5

FIN6

FIN7

Fox Kitten

Ke3chang

OilRig

Saint Bear

Stealth Falcon

Whitefly

Windigo

Winter Vivern

APT19

APT28

APT29

APT3

APT32

APT33

APT38

APT39

APT41

APT5

Aquatic Panda

BRONZE BUTLER

Blue Mockingbird

CURIUM

Chimera

Cinnamon Tempest

Cobalt Group

Confucius

CopyKittens

Daggerfly

DarkHydrus

DarkVishnya

Deep Panda

Dragonfly

Earth Lusca

Ember Bear

FIN10

FIN13

FIN6

FIN7

FIN8

Fox Kitten

GALLIUM

GOLD SOUTHFIELD

Gallmaker

Gamaredon Group

Gorgon Group

HAFNIUM

HEXANE

Inception

Indrik Spider

Kimsuky

Lazarus Group

LazyScripter

Leviathan

Magic Hound

Molerats

MoustachedBouncer

MuddyWater

Mustang Panda

Nomadic Octopus

OilRig

Patchwork

Play

Poseidon Group

RedCurl

Saint Bear

Sandworm Team

Sidewinder

Silence

Stealth Falcon

TA2541

TA459

TA505

TeamTNT

Threat Group-3390

Thrip

ToddyCat

Tonto Team

Turla

Volt Typhoon

WIRTE

Winter Vivern

Wizard Spider

menuPass

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.

Known False Positives

False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message	Risk Score	Impact	Confidence
Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.	32	40	80

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References

https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`WinEventLog:MSExchange Management`	`MSExchange:management`
Integration	✅ Passing	Dataset	`WinEventLog:MSExchange Management`	`MSExchange:management`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 3