Adversaries may be dropping malicious ASPX files via Exchange components in IIS to execute web-based payloads. SOC teams should proactively hunt for this behavior to identify potential web shell deployments and limit lateral movement in their Azure Sentinel environment.
Detection Rule
title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
- id: 6b269392-9eba-40b5-acb6-55c882b20ba6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
TargetFilename|contains:
- 'FrontEnd\HttpProxy\' # from GTSC and MSTI reports
- '\inetpub\wwwroot\aspnet_client\' # from GTSC report
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
condition: all of selection*
falsepositives:
- Unknown
level: high
imFileEvent
| where (TargetFilePath endswith "\\w3wp.exe" and ActingProcessCommandLine contains "MSExchange" and (TargetFileName contains "FrontEnd\\HttpProxy\\" or TargetFileName contains "\\inetpub\\wwwroot\\aspnet_client\\")) and (TargetFileName endswith ".aspx" or TargetFileName endswith ".asp" or TargetFileName endswith ".ashx")Scenario: Scheduled Backup Job Drops ASPX File
Description: A legitimate scheduled backup job (e.g., Veeam Backup & Replication, Microsoft Data Protection Manager) may temporarily drop an .aspx file during a backup or restore operation.
Filter/Exclusion: Check for file paths associated with backup directories (e.g., C:\Backup\, D:\VeeamBackup\) or use a filter like:
(file_path contains "Backup" or file_path contains "Veeam" or file_path contains "DPManager")Scenario: Exchange Management Shell Script Execution
Description: An admin may run a PowerShell script (e.g., Exchange Management Shell) that generates a temporary .aspx file for testing or configuration purposes.
Filter/Exclusion: Filter based on the process name or user context, such as:
(process_name contains "powershell.exe" and user contains "Administrator" or user contains "ExchangeAdmin")Scenario: IIS Application Pool Recycling
Description: During an IIS application pool recycling event, a temporary .aspx file may be created in a suspicious folder as part of the IIS configuration or logging process.
Filter/Exclusion: Filter based on the presence of IIS-related directories (e.g., C:\inetpub\wwwroot\, C:\Windows\System32\inetsrv\) or use:
(file_path contains "inetpub" or file_path contains "System32" or file_path contains "wwwroot")Scenario: Exchange Online Protection Agent (EOPA) File Creation
Description: The Exchange Online Protection Agent (EOPA) may create temporary files in a suspicious folder during