The hypothesis is that an adversary may be leveraging the Exchange PowerShell Snapin to execute malicious commands and gain unauthorized access to Exchange servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect potential compromise of email infrastructure and prevent data exfiltration or lateral movement.
KQL Query
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct
| extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc
id: 9ccb1859-7a79-4a8a-a382-fa54d4dace47
name: Exchange PowerShell Snapin Added (Normalized Process Events)
description: |
'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell.
Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised
Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by
new accounts.'
requiredDataConnectors: []
tactics:
- Collection
relevantTechniques:
- T1119
query: |
imProcessCreate
| where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where CommandLine has "Add-PSSnapin Microsoft.Exchange.Management.Powershell.Snapin"
| summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Dvc, User, CommandLine, EventVendor, EventProduct
| extend timestamp = FirstSeen, AccountCustomEntity = User, HostCustomEntity = Dvc
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
| Sentinel Table | Notes |
|---|---|
imProcessCreate | Ensure this data connector is enabled |
Scenario: Scheduled Job for Mailbox Backup
Description: A legitimate scheduled job runs a PowerShell script to back up user mailboxes using the Exchange PowerShell Snapin.
Filter/Exclusion: Check for the presence of a known backup tool (e.g., Veeam, Symantec Backup Exec) or filter by process name like BackupJob.ps1 or BackupScript.ps1.
Scenario: Exchange Management Shell Session
Description: An administrator is using the Exchange Management Shell (EMS) to perform routine administrative tasks such as mailbox moves or user mailbox creation.
Filter/Exclusion: Filter by user account (e.g., [email protected]) or check for known EMS commands like Get-Mailbox, Move-Mailbox, or New-Mailbox.
Scenario: PowerShell DSC Configuration for Exchange
Description: A PowerShell Desired State Configuration (DSC) resource is applied to configure or manage Exchange server settings.
Filter/Exclusion: Filter by process name like Configuration.ps1 or check for the presence of DSC resources such as ExchangeDsc or PSDscResource.
Scenario: Exchange PowerShell Snapin Used by a Service Account
Description: A service account with elevated privileges (e.g., ExchangeServiceAccount) is used to perform automated tasks like sending reports or managing distribution lists.
Filter/Exclusion: Filter by service account name or check for known service-related processes like ExchangeService.exe or MSExchangeServiceHost.exe.
Scenario: Exchange Snapin Used in a Script for Reporting
Description: A script is run to generate reports on mailbox usage or user activity using the Exchange PowerShell Snapin.
Filter/Exclusion: Filter by script name (e.g., GenerateReport.ps1) or check for the presence of reporting tools like