sigmahighHunting

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

MITRE ATT&CK

persistence

Detection Query

selection:
  EventID: 6
  Data|contains: Install-TransportAgent
condition: selection

Author

Tobias Michalski (Nextron Systems)

Created

2021-06-08

Data Sources

windowsmsexchange-management

Platforms

windows

References

https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8

Tags

attack.persistenceattack.t1505.002

Raw Content

title: Failed MSExchange Transport Agent Installation
id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa
status: test
description: Detects a failed installation of a Exchange Transport Agent
references:
    - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=8
author: Tobias Michalski (Nextron Systems)
date: 2021-06-08
modified: 2022-07-12
tags:
    - attack.persistence
    - attack.t1505.002
logsource:
    service: msexchange-management
    product: windows
    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
    selection:
        EventID: 6
        Data|contains: 'Install-TransportAgent'
    condition: selection
falsepositives:
    - Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.
level: high