Adversaries may be leveraging the MSExchangeMailboxReplication process to write malicious .asp or .apsx files, potentially enabling remote code execution via ProxyShell. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate advanced persistent threat (APT) activity targeting Exchange servers.
Detection Rule
title: Suspicious MSExchangeMailboxReplication ASPX Write
id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9
status: test
description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
references:
- https://redcanary.com/blog/blackbyte-ransomware/
author: Florian Roth (Nextron Systems)
date: 2022-02-25
tags:
- attack.initial-access
- attack.t1190
- attack.persistence
- attack.t1505.003
logsource:
product: windows
category: file_event
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selection
falsepositives:
- Unknown
level: high
imFileEvent
| where TargetFilePath endswith "\\MSExchangeMailboxReplication.exe" and (TargetFileName endswith ".aspx" or TargetFileName endswith ".asp")Scenario: Legitimate Exchange Database Maintenance Task
Description: A scheduled job runs to maintain Exchange mailbox replication databases, which may involve writing temporary files with .asp or .apsx extensions during the process.
Filter/Exclusion: Check for file paths within known Exchange directories such as C:\Program Files\Microsoft\Exchange Server\V15\Bin or use a filter for file.path containing Microsoft.Exchange or ExchangeServer.
Scenario: Admin Performing Web Application Debugging
Description: A system administrator is testing a custom web application that uses .asp or .apsx files for debugging purposes, and the file is written to a temporary directory.
Filter/Exclusion: Filter by file.path containing Debug or Temp directories, or check for process.name matching iisexpress.exe or vsdebugger.exe.
Scenario: Deployment of a Legacy Web Application
Description: A legacy web application is being deployed, and the deployment process involves writing .asp or .apsx files to a web root directory as part of the setup.
Filter/Exclusion: Use a filter for file.path containing inetpub or wwwroot, and check for process.name matching msdeploy.exe or webdeploy.exe.
Scenario: Automated Backup or Sync Job
Description: A backup or synchronization job is copying files between servers, and the process temporarily writes .asp or .apsx files to a staging directory.
Filter/Exclusion: Filter by file.path containing backup or sync, and check for process.name matching robocopy.exe or rsync.exe.
Scenario: Use of a Legacy Scripting Tool
Description: A script or tool like `