sigmahighHunting

Suspicious MSExchangeMailboxReplication ASPX Write

Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation

MITRE ATT&CK

T1190 T1505.003

initial-accesspersistence

Detection Query

selection:
  Image|endswith: \MSExchangeMailboxReplication.exe
  TargetFilename|endswith:
    - .aspx
    - .asp
condition: selection

Author

Florian Roth (Nextron Systems)

Created

2022-02-25

Data Sources

windowsFile Events

Platforms

windows

References

https://redcanary.com/blog/blackbyte-ransomware/

Tags

attack.initial-accessattack.t1190attack.persistenceattack.t1505.003

Raw Content

title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
    - https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
    - attack.initial-access
    - attack.t1190
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\MSExchangeMailboxReplication.exe'
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
    condition: selection
falsepositives:
    - Unknown
level: high