/
exchange_powershell_module_usage.yml
89 lines (85 loc) · 4.05 KB
/
exchange_powershell_module_usage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
name: Exchange PowerShell Module Usage
id: 2d10095e-05ae-11ec-8fdf-acde48001122
version: 5
date: '2023-07-10'
author: Michael Haag, Splunk
status: production
type: TTP
description: 'The following analytic identifies the usage of Exchange PowerShell modules
that were recently used for a proof of concept related to ProxyShell. Adversaries
may abuse a limited set of PwSh Modules related to Exchange once gained access via
ProxyShell or ProxyNotShell.
Inherently, the usage of the modules is not malicious, but reviewing parallel processes,
and user, of the session will assist with determining the intent.
Module - New-MailboxExportRequest will begin the process of exporting contents of
a primary mailbox or archive to a .pst file.
Module - New-managementroleassignment can assign a management role to a management
role group, management role assignment policy, user, or universal security group
(USG).
Module - New-MailboxSearch cmdlet to create a mailbox search and either get an estimate
of search results, place search results on In-Place Hold or copy them to a Discovery
mailbox. You can also place all contents in a mailbox on hold by not specifying
a search query, which accomplishes similar results as Litigation Hold. \ Module
- Get-Recipient cmdlet to view existing recipient objects in your organization.
This cmdlet returns all mail-enabled objects (for example, mailboxes, mail users,
mail contacts, and distribution groups).'
data_source:
- Powershell Script Block Logging 4104
search: '`powershell` EventCode=4104 ScriptBlockText IN ("*New-MailboxExportRequest*",
"*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "Search-Mailbox")
| stats count min(_time) as firstTime max(_time) as lastTime by Opcode Computer
UserID EventCode ScriptBlockText | rename Computer as dest |rename UserID as user | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`
| `exchange_powershell_module_usage_filter`'
how_to_implement: To successfully implement this analytic, you will need to enable
PowerShell Script Block Logging on some or all endpoints. Additional setup here
https://docs.splunk.com/Documentation/UBA/5.0.4.1/GetDataIn/AddPowerShell#Configure_module_logging_for_PowerShell.
known_false_positives: Administrators or power users may use this PowerShell commandlet
for troubleshooting.
references:
- https://docs.microsoft.com/en-us/powershell/module/exchange/new-mailboxexportrequest?view=exchange-ps
- https://docs.microsoft.com/en-us/powershell/module/exchange/new-managementroleassignment?view=exchange-ps
- https://blog.orange.tw/2021/08/proxyshell-a-new-attack-surface-on-ms-exchange-part-3.html
- https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell
- https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/
- https://www.cisa.gov/uscert/ncas/alerts/aa22-264a
- https://learn.microsoft.com/en-us/powershell/module/exchange/new-mailboxsearch?view=exchange-ps
- https://learn.microsoft.com/en-us/powershell/module/exchange/get-recipient?view=exchange-ps
- https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/
tags:
analytic_story:
- ProxyNotShell
- CISA AA22-277A
- ProxyShell
- BlackByte Ransomware
- CISA AA22-264A
asset_type: Endpoint
confidence: 80
impact: 40
message: Suspicious Exchange PowerShell module usaged was identified on $dest$.
mitre_attack_id:
- T1059
- T1059.001
observable:
- name: dest
type: Endpoint
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- ScriptBlockText
- Opcode
- Computer
- UserID
- EventCode
risk_score: 32
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/windows-powershell.log
source: XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
sourcetype: XmlWinEventLog