Adversaries may download suspicious file types via Exchange Server to deploy webshells, leveraging the HttpProxy to exfiltrate or execute malicious payloads. SOC teams should proactively hunt for this behavior to detect early-stage compromise attempts in their Azure Sentinel environment.
KQL Query
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type
//| where InteractiveFile =~ "Yes"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
id: 8955c0fb-3408-47b0-a3b9-a1faec41e427
name: Exchange Server Suspicious File Downloads.
description: |
'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells.
This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.
This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel
can be found here: https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1190
query: |
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type
//| where InteractiveFile =~ "Yes"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: Computer
- identifier: HostName
columnName: HostName
- identifier: DnsDomain
columnName: HostNameDomain
version: 1.0.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Application" ]Scenario: Legitimate scheduled backup job downloading a script file
Description: A backup tool (e.g., Veeam, Commvault) may download a .ps1 or .bat script as part of a scheduled job for configuration or update purposes.
Filter/Exclusion: Exclude file downloads where the source is a known backup server IP or domain, or where the file extension is associated with a backup tool (e.g., .vbs, .ps1 in a known backup context).
Scenario: Admin performing a software update via PowerShell
Description: An administrator may use PowerShell (e.g., Invoke-Command, Start-Process) to download and install a legitimate update or patch, which may trigger the rule due to the file type.
Filter/Exclusion: Exclude file downloads originating from internal admin servers or where the file is associated with a known update mechanism (e.g., .msi, .exe from a trusted update server).
Scenario: User downloading a legitimate document via email
Description: A user may download a .docx, .xlsx, or .pdf file via email, which could be flagged due to the file type or the presence of suspicious headers.
Filter/Exclusion: Exclude file downloads where the file extension is a common document type, or where the email sender is a known internal user or department.
Scenario: Exchange Online Protection (EOP) downloading malware signature updates
Description: The Exchange Online Protection service may download malware signature updates from Microsoft, which could be flagged due to the file type or download behavior.
Filter/Exclusion: Exclude file downloads from Microsoft’s public IP ranges or domains (e.g., download.microsoft.com, msftncsi.com).
Scenario: Internal tool for log analysis or reporting
Description: An internal tool