LoFP / legitimate exchange system administration activity.

Techniques

• T1005
• T1059
• T1098
• T1114

Sample rules

Exporting Exchange Mailbox via PowerShell

• source: elastic
• technicques:
  • T1005
  • T1059
  • T1114

Description

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and
  process.command_line : ("*MailboxExportRequest*", "*-Mailbox*-ContentFilter*")

Exchange Mailbox Export via PowerShell

• source: elastic
• technicques:
  • T1005
  • T1114

Description

Identifies the use of the Exchange PowerShell cmdlet, New-MailBoxExportRequest, to export the contents of a primary mailbox or archive to a .pst file. Adversaries may target user email to collect sensitive information.

Detection logic

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : "New-MailboxExportRequest"

New ActiveSyncAllowedDeviceID Added via PowerShell

• source: elastic
• technicques:
  • T1059
  • T1098

Description

Identifies the use of the Exchange PowerShell cmdlet, Set-CASMailbox, to add a new ActiveSync allowed device. Adversaries may target user email to collect sensitive information.

Detection logic

process where host.os.type == "windows" and event.type == "start" and
  process.name: ("powershell.exe", "pwsh.exe", "powershell_ise.exe") and process.args : "Set-CASMailbox*ActiveSyncAllowedDeviceIDs*"