← Back to Explore
sigmacriticalHunting
Mailbox Export to Exchange Webserver
Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
Detection Query
export_command:
"|all":
- New-MailboxExportRequest
- " -Mailbox "
export_params:
- -FilePath "\\\\
- .aspx
role_assignment:
"|all":
- New-ManagementRoleAssignment
- ' -Role "Mailbox Import Export"'
- " -User "
condition: (export_command and export_params) or role_assignment
Author
Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
Created
2021-08-09
Data Sources
windowsmsexchange-management
Platforms
windows
Tags
attack.persistenceattack.t1505.003
Raw Content
title: Mailbox Export to Exchange Webserver
id: 516376b4-05cd-4122-bae0-ad7641c38d48
status: test
description: Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it
references:
- https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
author: Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
date: 2021-08-09
modified: 2023-04-30
tags:
- attack.persistence
- attack.t1505.003
logsource:
service: msexchange-management
product: windows
detection:
export_command:
'|all':
- 'New-MailboxExportRequest'
- ' -Mailbox '
export_params:
- '-FilePath "\\\\' # We care about any share location.
- '.aspx'
role_assignment:
'|all':
- 'New-ManagementRoleAssignment'
- ' -Role "Mailbox Import Export"'
- ' -User '
condition: (export_command and export_params) or role_assignment
falsepositives:
- Unlikely
level: critical