Detectionmediumtest

MSExchange Transport Agent Installation - Builtin

Detects the Installation of a Exchange Transport Agent

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Tobias MichalskiCreated Tue Jun 08Updated Sun Nov 274fe151c2-ecf9-4fae-95ae-b88ec9c2fca6windows

Log Source

Windowsmsexchange-management

ProductWindows← raw: windows

Servicemsexchange-management← raw: msexchange-management

Detection Logic

detection:
    selection:
        - 'Install-TransportAgent'
    condition: selection

False Positives

Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.

References

MITRE ATT&CK

Tactics

Sub-techniques

Related Rules

MSExchange Transport Agent Installation

Detects the Installation of a Exchange Transport Agent

This rule was derived from the related rule - both detect similar activity with different scope.

Rule Metadata

Rule ID

4fe151c2-ecf9-4fae-95ae-b88ec9c2fca6

Status

test

Level

medium

Type

Detection

Created

Tue Jun 08

Modified

Sun Nov 27

Author

Path

rules/windows/builtin/msexchange/win_exchange_transportagent.yml

Raw Tags

attack.persistenceattack.t1505.002