From 4d5a0623235cf7c1fd84384d5fc57a2c54afc6d2 Mon Sep 17 00:00:00 2001 From: Pete Bryan Date: Wed, 17 Mar 2021 16:30:25 -0700 Subject: [PATCH] Modified with PR comments --- ...yAttributeContainingPotentialWebshell.yaml | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml b/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml index 286a2c6ea3..19475c5102 100644 --- a/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml +++ b/Detections/SecurityEvent/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml @@ -1,7 +1,9 @@ id: faf1a6ff-53b5-4f92-8c55-4b20e9957594 name: Exchange OAB Virtual Directory Attribute Containing Potential Webshell description: | - 'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns' + 'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. + This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services + where the new objects contain potential webshell objects. Ref: https://aka.ms/ExchangeVulns' severity: High requiredDataConnectors: - connectorId: SecurityEvents @@ -17,21 +19,22 @@ relevantTechniques: - T1190 query: | SecurityEvent - // Look for specific Directory Service Changes + // Look for specific Directory Service Changes and parse data | where EventID == 5136 - | extend Data = parse_xml(EventData) - | extend ObjectClass = tostring( Data.EventData.Data[10].["#text"]) + | extend EventData = parse_xml(EventData).EventData.Data + | mv-expand bagexpansion = array EventData + | evaluate bag_unpack(EventData) + | extend Key =tostring(['@Name']), Value = ['#text'] + | evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount) // Where changes relate to Exchange OAB | where ObjectClass =~ "msExchOABVirtualDirectory" - | extend AttributeLDAPDisplayName = tostring( Data.EventData.Data[11].["#text"]) // Look for InternalHostName or ExternalHostName properties being changed | where AttributeLDAPDisplayName in ("msExchExternalHostName", "msExchInternalHostName") - | extend DN = tostring(Data.EventData.Data[8].["#text"]) - | extend AttributeValue = tostring(Data.EventData.Data[13].["#text"]) // Look for suspected webshell activity | where AttributeValue has "script" - | project-reorder TimeGenerated, Computer, Account, DN, AttributeLDAPDisplayName, AttributeValue - | extend timestamp = StartTime, AccountCustomEntity = Account, HostCustomEntity = Computer + | project-rename LastSeen = TimeGenerated + | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue + | extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer entityMappings: - entityType: Account fieldMappings: