Techniques
Sample rules
Windows MSExchange Management Mailbox Cmdlet Usage
- source: splunk
- technicques:
- T1059
- T1059.001
Description
The following analytic uses the Exchange Management logs, that are enabled by default, to identify suspicious Cmdlet usage related to ProxyShell and ProxyNotShell abuse.
Detection logic
`msexchange_management` EventCode=1 Message IN ("*New-MailboxExportRequest*", "*New-ManagementRoleAssignment*", "*New-MailboxSearch*", "*Get-Recipient*", "*Search-Mailbox*")
| stats count min(_time) as firstTime max(_time) as lastTime by host Message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| rename host AS dest
| `windows_msexchange_management_mailbox_cmdlet_usage_filter`