Adversaries may be dropping malicious files via Exchange components in IIS to establish persistence or deliver payloads. SOC teams should proactively hunt for this behavior to identify potential compromise of email infrastructure and prevent lateral movement.
Detection Rule
title: Suspicious File Drop by Exchange
id: 6b269392-9eba-40b5-acb6-55c882b20ba6
related:
- id: bd1212e5-78da-431e-95fa-c58e3237a8e6
type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS
references:
- https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
- https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
- https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems)
date: 2022-10-04
tags:
- attack.persistence
- attack.t1190
- attack.initial-access
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\w3wp.exe'
CommandLine|contains: 'MSExchange'
selection_types:
TargetFilename|endswith:
- '.aspx'
- '.asp'
- '.ashx'
- '.ps1'
- '.bat'
- '.exe'
- '.dll'
- '.vbs'
condition: all of selection*
falsepositives:
- Unknown
level: medium
imFileEvent
| where (TargetFilePath endswith "\\w3wp.exe" and ActingProcessCommandLine contains "MSExchange") and (TargetFileName endswith ".aspx" or TargetFileName endswith ".asp" or TargetFileName endswith ".ashx" or TargetFileName endswith ".ps1" or TargetFileName endswith ".bat" or TargetFileName endswith ".exe" or TargetFileName endswith ".dll" or TargetFileName endswith ".vbs")Scenario: Scheduled Backup Job Drops a Backup File
Description: A scheduled backup job (e.g., Veeam Backup & Replication, CommCell, or Veritas NetBackup) temporarily drops a .bak or .log file during a backup operation.
Filter/Exclusion: Exclude files with extensions like .bak, .log, or .tmp that are known to be part of backup processes. Use a filter like:
file.name NOT IN ('*.bak', '*.log', '*.tmp')Scenario: Exchange Management Shell Script Execution
Description: An administrator runs a PowerShell script (e.g., Exchange Management Shell) that temporarily creates a .ps1 or .psm1 file during script execution.
Filter/Exclusion: Exclude files with PowerShell script extensions and check for known admin tools. Use a filter like:
file.name NOT IN ('*.ps1', '*.psm1') AND file.name NOT LIKE '%Exchange%'Scenario: Exchange Certificate Renewal Process
Description: During certificate renewal (e.g., via Certutil or Exchange Management Console), a temporary .cer or .pfx file is created in the IIS directory.
Filter/Exclusion: Exclude files with certificate extensions and check for known certificate tools. Use a filter like:
file.name NOT IN ('*.cer', '*.pfx') AND process.name NOT IN ('certutil.exe', 'certsrv.exe')Scenario: IIS Application Pool Recycling
Description: IIS may temporarily drop files (e.g., .dll, .exe) during application pool recycling or configuration changes.
Filter/Exclusion: Exclude files associated with IIS or application pools. Use