EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Exchange PowerShell Snap-Ins Usage

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

MITRE ATT&CK

T1059.001T1114
executioncollection

Detection Query

selection_img:
  - Image|endswith:
      - \powershell.exe
      - \pwsh.exe
  - OriginalFileName:
      - PowerShell.EXE
      - pwsh.dll
selection_cli:
  CommandLine|contains: Add-PSSnapin
selection_module:
  CommandLine|contains:
    - Microsoft.Exchange.Powershell.Snapin
    - Microsoft.Exchange.Management.PowerShell.SnapIn
filter_msiexec:
  ParentImage: C:\Windows\System32\msiexec.exe
  CommandLine|contains: $exserver=Get-ExchangeServer ([Environment]::MachineName)
    -ErrorVariable exerr 2> $null
condition: all of selection_* and not 1 of filter_*

Author

FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)

Created

2021-03-03

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.executionattack.t1059.001attack.collectionattack.t1114
Raw Content
title: Exchange PowerShell Snap-Ins Usage
id: 25676e10-2121-446e-80a4-71ff8506af47
status: test
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27
references:
    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
    - https://www.intrinsec.com/apt27-analysis/
author: FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
date: 2021-03-03
modified: 2023-03-24
tags:
    - attack.execution
    - attack.t1059.001
    - attack.collection
    - attack.t1114
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        - Image|endswith:
              - '\powershell.exe'
              - '\pwsh.exe'
        - OriginalFileName:
              - 'PowerShell.EXE'
              - 'pwsh.dll'
    selection_cli:
        CommandLine|contains: 'Add-PSSnapin'
    selection_module:
        CommandLine|contains:
            - 'Microsoft.Exchange.Powershell.Snapin'
            - 'Microsoft.Exchange.Management.PowerShell.SnapIn'
    filter_msiexec:
        # ParentCommandLine: C:\Windows\System32\MsiExec.exe -Embedding C9138ECE2536CB4821EB5F55D300D88E E Global\MSI0000
        ParentImage: 'C:\Windows\System32\msiexec.exe'
        CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
    condition: all of selection_* and not 1 of filter_*
falsepositives:
    - Unknown
level: high