Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionmediumtest

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Tue Oct 046b269392-9eba-40b5-acb6-55c882b20ba6windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
            - '.ps1'
            - '.bat'
            - '.exe'
            - '.dll'
            - '.vbs'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
microsoft.com
2
Resolving title…
gteltsc.vn
3
Resolving title…
en.gteltsc.vn
MITRE ATT&CK
Related Rules
SimilarDetectionhigh

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
6b269392-9eba-40b5-acb6-55c882b20ba6
Status
test
Level
medium
Type
Detection
Created
Tue Oct 04
Author
Florian Roth (Nextron Systems)
Path
rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml
Raw Tags
attack.persistenceattack.t1190attack.initial-accessattack.t1505.003
View on GitHub