Windows MSExchange Management Mailbox Cmdlet Usage
Description
The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-22
- Author: Michael Haag, Splunk
- ID: 396de86f-25e7-4b0e-be09-a330be35249d
Annotations
ATT&CK
Kill Chain Phase
- Installation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*")
| stats count min(_time) as firstTime max(_time) as lastTime by host Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename host AS dest
| `windows_msexchange_management_mailbox_cmdlet_usage_filter`
Macros
The SPL above uses the following Macros:
windows_msexchange_management_mailbox_cmdlet_usage_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- Message
- dest
How To Implement
The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.
Known False Positives
False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
32.0 | 40 | 80 | Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2