Detection: Windows MSExchange Management Mailbox Cmdlet Usage

Updated Date: 2024-11-13 ID: 396de86f-25e7-4b0e-be09-a330be35249d Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies suspicious Cmdlet usage in Exchange Management logs, focusing on commands like New-MailboxExportRequest and New-ManagementRoleAssignment. It leverages EventCode 1 and specific Message patterns to detect potential ProxyShell and ProxyNotShell abuse. This activity is significant as it may indicate unauthorized access or manipulation of mailboxes and roles, which are critical for maintaining email security. If confirmed malicious, attackers could export mailbox data, assign new roles, or search mailboxes, leading to data breaches and privilege escalation.

Search

1`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*") 
2| stats count min(_time) as firstTime max(_time) as lastTime by host Message 
3| `security_content_ctime(firstTime)` 
4| `security_content_ctime(lastTime)` 
5| rename host AS dest 
6| `windows_msexchange_management_mailbox_cmdlet_usage_filter`

Data Source

Name	Platform	Sourcetype	Source
CrowdStrike ProcessRollup2	N/A	`'crowdstrike:events:sensor'`	`'crowdstrike'`
Sysmon EventID 1	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Microsoft-Windows-Sysmon/Operational'`
Windows Event Log Security 4688	Windows	`'xmlwineventlog'`	`'XmlWinEventLog:Security'`

Macros Used

Name	Value
msexchange_management	`sourcetype=MSExchange:management`
windows_msexchange_management_mailbox_cmdlet_usage_filter	`search *`

windows_msexchange_management_mailbox_cmdlet_usage_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1059	Command and Scripting Interpreter	Execution
T1059.001	PowerShell	Execution

Installation

DE.AE

CIS 10

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

The following analytic requires collecting the Exchange Management logs via a input. An example inputs is here https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178. We used multiline as the XML format of the logs will require props/transforms. Multiline gives us everything we need in Message for now. Update the macro with your correct sourcetype.

Known False Positives

False positives may be present when an Administrator utilizes the cmdlets in the query. Filter or monitor as needed.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Cmdlets related to ProxyShell and ProxyNotShell have been identified on $dest$.

Risk Object	Risk Object Type	Risk Score	Threat Objects
dest	system	32	No Threat Objects

References

https://gist.github.com/MHaggis/f66f1d608ea046efb9157020cd34c178

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`WinEventLog:MSExchange Management`	`MSExchange:management`
Integration	✅ Passing	Dataset	`WinEventLog:MSExchange Management`	`MSExchange:management`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 4