Detectionhightest
Suspicious MSExchangeMailboxReplication ASPX Write
Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
Image|endswith: '\MSExchangeMailboxReplication.exe'
TargetFilename|endswith:
- '.aspx'
- '.asp'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Sub-techniques
Rule Metadata
Rule ID
7280c9f3-a5af-45d0-916a-bc01cb4151c9
Status
test
Level
high
Type
Detection
Created
Fri Feb 25
Path
rules/windows/file/file_event/file_event_win_susp_exchange_aspx_write.yml
Raw Tags
attack.initial-accessattack.t1190attack.persistenceattack.t1505.003