Try in Splunk Security Cloud

Description

The following analytic uses the Exchange Management logs, that are enabled by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell abuse.

  • Type: Anomaly

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2022-11-21
  • Author: Michael Haag, Splunk
  • ID: 396de86f-25e7-4b0e-be09-a330be35249d

Annotations

ATT&CK

ATT&CK

ID Technique Tactic
T1059 Command and Scripting Interpreter Execution
T1059.001 PowerShell Execution
Kill Chain Phase
  • Installation
NIST
  • DE.AE
CIS20
  • CIS 10
CVE 


1
2
3
4
5
6



`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") 
| stats count min(_time) as firstTime max(_time) as lastTime by host Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename host AS dest 
| `windows_msexchange_management_mailbox_cmdlet_usage_filter`

Macros

The SPL above uses the following Macros:

:information_source: windows_msexchange_management_mailbox_cmdlet_usage_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Message
  • dest

How To Implement

The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.

Known False Positives

False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.

Associated Analytic Story

RBA

Risk Score Impact Confidence Message
32.0 40 80 Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 1