ID | Technique | Tactic |
---|---|---|
T1059 | Command and Scripting Interpreter | Execution |
T1059.001 | PowerShell | Execution |
Detection: Windows MSExchange Management Mailbox Cmdlet Usage
Description
The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.
Search
1`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*")
2| stats count min(_time) as firstTime max(_time) as lastTime by host Message
3| `security_content_ctime(firstTime)`
4| `security_content_ctime(lastTime)`
5| rename host AS dest
6| `windows_msexchange_management_mailbox_cmdlet_usage_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
CrowdStrike ProcessRollup2 | N/A | 'crowdstrike:events:sensor' |
'crowdstrike' |
Sysmon EventID 1 | Windows | 'xmlwineventlog' |
'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational' |
Windows Event Log Security 4688 | Windows | 'xmlwineventlog' |
'XmlWinEventLog:Security' |
Macros Used
Name | Value |
---|---|
msexchange_management | sourcetype=MSExchange:management |
windows_msexchange_management_mailbox_cmdlet_usage_filter | search * |
windows_msexchange_management_mailbox_cmdlet_usage_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Risk Event | True |
Implementation
The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.
Known False Positives
False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$. | 32 | 40 | 80 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | WinEventLog:MSExchange Management |
MSExchange:management |
Integration | ✅ Passing | Dataset | WinEventLog:MSExchange Management |
MSExchange:management |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 3