30 строки
1.3 KiB
YAML
30 строки
1.3 KiB
YAML
id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a
|
|
name: Exchange PowerShell Snapin Added
|
|
description: |
|
|
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by new accounts.'
|
|
requiredDataConnectors:
|
|
- connectorId: SecurityEvents
|
|
dataTypes:
|
|
- SecurityEvent
|
|
tactics:
|
|
- Collection
|
|
relevantTechniques:
|
|
- T1119
|
|
query: |
|
|
SecurityEvent
|
|
| where EventID == 4688
|
|
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
|
|
| where isnotempty(CommandLine)
|
|
| where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
|
|
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine
|
|
| extend timestamp = FirstSeen, AccountCustomEntity = Account, HostCustomEntity = Computer
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: Host
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: HostCustomEntity
|