dllshellexc2010 Exchange backdoor + remote shell

Hunt Hypothesis

The detection identifies potential deployment of a known Exchange backdoor and remote shell mechanism, indicative of adversary persistence and remote access capabilities. SOC teams should proactively hunt for this behavior to uncover stealthy, long-term access to Exchange servers and mitigate lateral movement risks in their Azure Sentinel environment.

YARA Rule

rule IronTiger_dllshellexc2010 
{
    
    meta:
        author = "Cyber Safety Solutions, Trend Micro"
        description = "dllshellexc2010 Exchange backdoor + remote shell"
        reference = "http://goo.gl/T5fSJC"
    
    strings:
        $str1 = "Microsoft.Exchange.Clients.Auth.dll" nocase ascii wide
        $str2 = "Dllshellexc2010" nocase wide ascii
        $str3 = "Users\\ljw\\Documents" nocase wide ascii
        $bla1 = "please input path" nocase wide ascii
        $bla2 = "auth.owa" nocase wide ascii
    
    condition:
        (uint16(0) == 0x5a4d) and ((any of ($str*)) or (all of ($bla*)))
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 5 string patterns in its detection logic.

References

• http://goo.gl/T5fSJC
• Source Rule

False Positive Guidance

• Scenario: Scheduled Job for Exchange Maintenance
  Description: A legitimate scheduled task runs a script that uses dllshellexc2010 as part of an Exchange maintenance process.
  Filter/Exclusion: Check for taskname containing “Exchange Maintenance” or “Exchange Backup” and filter by processname matching known Exchange services (e.g., MSExchangeSearch.exe, MSExchangeIS.exe).

• Scenario: Admin Task to Load DLL for Compatibility
  Description: An administrator loads a DLL (e.g., dllshellexc2010.dll) for compatibility with older applications or to support legacy software.
  Filter/Exclusion: Filter by processname matching known administrative tools (e.g., cmd.exe, powershell.exe) and check for dll files in known enterprise directories (e.g., C:\Windows\System32\).

• Scenario: Remote Shell for Legitimate Remote Administration
  Description: A remote administration tool (e.g., PsExec, WinRM, or Remote Desktop) is used to execute commands on a remote Exchange server.
  Filter/Exclusion: Check for processname matching remote administration tools and verify the presence of a valid RDP or WinRM session context.

• Scenario: Third-Party Tool Using DLL for Automation
  Description: A third-party tool (e.g., Microsoft Exchange Management Shell, Exchange Online PowerShell) uses dllshellexc2010 as part of its automation process.
  Filter/Exclusion: Filter by processname containing “Exchange” or “PowerShell” and check for known legitimate command-line arguments or scripts.

• Scenario: Malware Analysis or Sandbox Environment
  Description: A security tool or sandbox environment is running