28 строки
1.2 KiB
YAML
28 строки
1.2 KiB
YAML
id: 9ccb1859-7a79-4a8a-a382-fa54d4dace47
|
|
name: Exchange PowerShell Snapin Added (Normalized Process Events)
|
|
description: |
|
|
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell.
|
|
Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised
|
|
Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by
|
|
new accounts.'
|
|
requiredDataConnectors: []
|
|
tactics:
|
|
- Collection
|
|
relevantTechniques:
|
|
- T1119
|
|
query: |
|
|
imProcessCreate
|
|
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
|
|
| where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
|
|
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct
|
|
| extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|