/
windows_msexchange_management_mailbox_cmdlet_usage.yml
60 lines (60 loc) · 2.22 KB
/
windows_msexchange_management_mailbox_cmdlet_usage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
name: Windows MSExchange Management Mailbox Cmdlet Usage
id: 396de86f-25e7-4b0e-be09-a330be35249d
version: 1
date: '2023-07-10'
author: Michael Haag, Splunk
status: production
type: Anomaly
description: The following analytic uses the Exchange Management logs, that are enabled
by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell
abuse.
data_source:
- Sysmon EventID 1
search: '`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*",
"*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*")
| stats count min(_time) as firstTime max(_time) as lastTime by host Message | `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)` | rename host AS dest | `windows_msexchange_management_mailbox_cmdlet_usage_filter`'
how_to_implement: The following analytic requires collecting the Exchange Management
logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178.
We used multiline as the XML format of the logs will require props/transforms. Multiline
gives us everything we need in Message for now. Update the macro with your correct
sourcetype.
known_false_positives: False positives may be present when an Administrator utilizes
the cmdlets in the query. Filter or monitor as needed.
references:
- https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178
tags:
analytic_story:
- ProxyShell
- BlackByte Ransomware
- ProxyNotShell
asset_type: Endpoint
confidence: 80
impact: 40
message: Cmdlets related to ProxyShell and ProxyNotShell have been identified on
$dest$.
mitre_attack_id:
- T1059
- T1059.001
observable:
- name: dest
type: Hostname
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- Message
- dest
risk_score: 32
security_domain: endpoint
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1059.001/exchange/msexchangemanagement.log
source: WinEventLog:MSExchange Management
sourcetype: MSExchange:management
update_timestamp: true