The hypothesis is that an adversary is creating malicious identities to impersonate legitimate Microsoft Exchange Health Manager service accounts using Exchange PowerShell, leveraging T1136 techniques to establish persistent access. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate potential long-term compromise and lateral movement by advanced threats.
KQL Query
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and CommandLine has "HealthMailbox55x2yq"
| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(DeviceProcessEvents
| where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"
| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
)
)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
id: 0a3f4f4f-46ad-4562-acd6-f17730a5aef4
name: Unusual identity creation using exchange powershell
description: |
' The query below identifies creation of unusual identity by the Europium actor to mimic Microsoft Exchange Health Manager Service account using Exchange PowerShell commands
Reference: https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/'
severity: High
requiredDataConnectors:
- connectorId: SecurityEvents
dataTypes:
- SecurityEvent
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
queryFrequency: 12h
queryPeriod: 12h
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136
tags:
- Europium
query: |
(union isfuzzy=true
(SecurityEvent
| where EventID==4688
| where CommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and CommandLine has "HealthMailbox55x2yq"
| project TimeGenerated, DeviceName = Computer, AccountName = SubjectUserName, AccountDomain = SubjectDomainName, ProcessName, ProcessNameFullPath = NewProcessName, EventID, Activity, CommandLine, EventSourceName, Type
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
),
(DeviceProcessEvents
| where ProcessCommandLine has_any ("New-Mailbox","Update-RoleGroupMember") and ProcessCommandLine has "HealthMailbox55x2yq"
| extend timestamp = TimeGenerated, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend InitiatingProcessAccount = strcat(AccountDomain, "\\", AccountName)
)
)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatingProcessAccount
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.1.1
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Security - Threat Protection", "Identity" ]| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
SecurityEvent | Ensure this data connector is enabled |
Scenario: Scheduled Job for Mailbox Backup
Description: A legitimate scheduled job runs via Exchange PowerShell to back up mailbox data, which may trigger the rule due to the use of Exchange cmdlets.
Filter/Exclusion: Check for the presence of Backup- in the command or filter by the job name containing “Backup” or “Archive”.
Scenario: Admin Task – Creating Test User Accounts
Description: An administrator creates test user accounts using Exchange PowerShell for internal testing or training purposes.
Filter/Exclusion: Filter by the user’s email domain (e.g., @testdomain.com) or check for the presence of “Test” in the user principal name (UPN).
Scenario: Exchange Management Shell Script Execution
Description: A script is run via the Exchange Management Shell to automate routine administrative tasks, such as mailbox migration or distribution list management.
Filter/Exclusion: Use a filter for the script path (e.g., C:\Scripts\) or check for known administrative cmdlets like Move-Mailbox or Set-DistributionGroup.
Scenario: Service Account for Monitoring Tools
Description: A service account, such as one used by a monitoring tool like SolarWinds or Nagios, is created using Exchange PowerShell to monitor mailbox health or performance.
Filter/Exclusion: Filter by the service account name (e.g., [email protected]) or check for the presence of monitoring-related cmdlets like Get-MailboxStatistics.
Scenario: User Migration via Exchange PowerShell
Description: An administrator uses Exchange PowerShell to migrate users from one domain to another, which may trigger the rule due to the use of Exchange cmdlets.
Filter/Exclusion: Filter by the presence of migration-related cmdlets like Move-Mailbox or check for the migration source and