Try in Splunk Security Cloud


The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.

  • Type: Anomaly
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2024-05-22
  • Author: Michael Haag, Splunk
  • ID: 396de86f-25e7-4b0e-be09-a330be35249d




ID Technique Tactic
T1059 Command and Scripting Interpreter Execution
T1059.001 PowerShell Execution
Kill Chain Phase
  • Installation
  • DE.AE
  • CIS 10
`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") 
| stats count min(_time) as firstTime max(_time) as lastTime by host Message 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| rename host AS dest 
| `windows_msexchange_management_mailbox_cmdlet_usage_filter`


The SPL above uses the following Macros:

:information_source: windows_msexchange_management_mailbox_cmdlet_usage_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • Message
  • dest

How To Implement

The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.

Known False Positives

False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.

Associated Analytic Story


Risk Score Impact Confidence Message
32.0 40 80 Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2