sigmacriticalHunting

Certificate Request Export to Exchange Webserver

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

MITRE ATT&CK

T1505.003

persistence

Detection Query

keywords_export_command:
  "|all":
    - New-ExchangeCertificate
    - " -GenerateRequest"
    - " -BinaryEncoded"
    - " -RequestFile"
keywords_export_params:
  - \\\\localhost\\C$
  - \\\\127.0.0.1\\C$
  - C:\\inetpub
  - .aspx
condition: keywords_export_command and keywords_export_params

Author

Max Altgelt (Nextron Systems)

Created

2021-08-23

Data Sources

windowsmsexchange-management

Platforms

windows

References

https://twitter.com/GossiTheDog/status/1429175908905127938

Tags

attack.persistenceattack.t1505.003

Raw Content

title: Certificate Request Export to Exchange Webserver
id: b7bc7038-638b-4ffd-880c-292c692209ef
status: test
description: Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell
references:
    - https://twitter.com/GossiTheDog/status/1429175908905127938
author: Max Altgelt (Nextron Systems)
date: 2021-08-23
modified: 2023-01-23
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    service: msexchange-management
    product: windows
detection:
    keywords_export_command:
        '|all':
            - 'New-ExchangeCertificate'
            - ' -GenerateRequest'
            - ' -BinaryEncoded'
            - ' -RequestFile'
    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
    condition: keywords_export_command and keywords_export_params
falsepositives:
    - Unlikely
level: critical