/
ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
98 lines (98 loc) · 4.5 KB
/
ms_exchange_mailbox_replication_service_writing_active_server_pages.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: MS Exchange Mailbox Replication service writing Active Server Pages
id: 985f322c-57a5-11ec-b9ac-acde48001122
version: 1
date: '2023-07-10'
author: Michael Haag, Splunk
status: experimental
type: TTP
description: 'The following query identifies suspicious .aspx created in 3 paths identified
by Microsoft as known drop locations for Exchange exploitation related to HAFNIUM
group and recently disclosed vulnerablity named ProxyShell. Paths include: `\HttpProxy\owa\auth\`,
`\inetpub\wwwroot\aspnet_client\`, and `\HttpProxy\OAB\`. The analytic is limited
to process name MSExchangeMailboxReplication.exe, which typically does not write
.aspx files to disk. Upon triage, the suspicious .aspx file will likely look obvious
on the surface. inspect the contents for script code inside. Identify additional
log sources, IIS included, to review source and other potential exploitation. It
is often the case that a particular threat is only applicable to a specific subset
of systems in your environment. Typically analytics to detect those threats are
written without the benefit of being able to only target those systems as well.
Writing analytics against all systems when those behaviors are limited to identifiable
subsets of those systems is suboptimal. Consider the case ProxyShell vulnerability
on Microsoft Exchange Servers. With asset information, a hunter can limit their
analytics to systems that have been identified as Exchange servers. A hunter may
start with the theory that the exchange server is communicating with new systems
that it has not previously. If this theory is run against all publicly facing systems,
the amount of noise it will generate will likely render this theory untenable. However,
using the asset information to limit this analytic to just the Exchange servers
will reduce the noise allowing the hunter to focus only on the systems where this
behavioral change is relevant.'
data_source:
- Sysmon EventID 1
- Sysmon EventID 11
search: '| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes
where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h
Processes.process_id Processes.process_name Processes.process_guid Processes.dest
| `drop_dm_object_name(Processes)` | join process_guid, _time [| tstats `security_content_summariesonly`
count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem
where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*",
"*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest
Filesystem.file_create_time Filesystem.file_name Filesystem.file_path | `drop_dm_object_name(Filesystem)`
| fields _time dest file_create_time file_name file_path process_name process_path
process process_guid] | dedup file_create_time | table dest file_create_time, file_name,
file_path, process_name | `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`'
how_to_implement: To successfully implement this search you need to be ingesting information
on process that include the name of the process responsible for the changes from
your endpoints into the `Endpoint` datamodel in the `Processes` node and `Filesystem`
node.
known_false_positives: The query is structured in a way that `action` (read, create)
is not defined. Review the results of this query, filter, and tune as necessary.
It may be necessary to generate this query specific to your endpoint product.
references:
- https://redcanary.com/blog/blackbyte-ransomware/
tags:
analytic_story:
- ProxyShell
- Ransomware
- BlackByte Ransomware
asset_type: Endpoint
confidence: 90
impact: 90
message: A file - $file_name$ was written to disk that is related to IIS exploitation
related to ProxyShell. Review further file modifications on endpoint $dest$ by
user $user$.
mitre_attack_id:
- T1505
- T1505.003
- T1190
- T1133
observable:
- name: user
type: User
role:
- Victim
- name: dest
type: Hostname
role:
- Victim
- name: file_name
type: File Name
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Filesystem.file_path
- Filesystem.process_id
- Filesystem.file_name
- Filesystem.file_hash
- Filesystem.user
- Filesystem.process_guid
- Processes.process_name
- Processes.process_id
- Processes.process_name
- Processes.process_guid
risk_score: 81
security_domain: endpoint