Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

Mailbox Export to Exchange Webserver

Detects a successful export of an Exchange mailbox to untypical directory or with aspx name suffix which can be used to place a webshell or the needed role assignment for it

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)Created Mon Aug 09Updated Sun Apr 30516376b4-05cd-4122-bae0-ad7641c38d48windows
Log Source
Windowsmsexchange-management
ProductWindows← raw: windows
Servicemsexchange-management← raw: msexchange-management
Detection Logic
Detection Logic3 selectors
detection:
    export_command:
        '|all':
            - 'New-MailboxExportRequest'
            - ' -Mailbox '
    export_params:
        - '-FilePath "\\\\' # We care about any share location.
        - '.aspx'
    role_assignment:
        '|all':
            - 'New-ManagementRoleAssignment'
            - ' -Role "Mailbox Import Export"'
            - ' -User '
    condition: (export_command and export_params) or role_assignment
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
blog.orange.tw
MITRE ATT&CK
Rule Metadata
Rule ID
516376b4-05cd-4122-bae0-ad7641c38d48
Status
test
Level
critical
Type
Detection
Created
Mon Aug 09
Modified
Sun Apr 30
Author
Florian Roth (Nextron Systems), Rich Warren, Christian Burkard (Nextron Systems)
Path
rules/windows/builtin/msexchange/win_exchange_proxyshell_mailbox_export.yml
Raw Tags
attack.persistenceattack.t1505.003
View on GitHub