Detectionhightest

Exchange Set OabVirtualDirectory ExternalUrl Property

Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Jose RodriguezCreated Mon Mar 15Updated Mon Jan 239db37458-4df2-46a5-95ab-307e7f29e675windows

Log Source

Windowsmsexchange-management

ProductWindows← raw: windows

Servicemsexchange-management← raw: msexchange-management

Detection Logic

detection:
    keywords:
        '|all':
            - 'Set-OabVirtualDirectory'
            - 'ExternalUrl'
            - 'Page_Load'
            - 'script'
    condition: keywords

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

twitter.com

MITRE ATT&CK

Tactics

TA0003 · Persistence

Sub-techniques

T1505.003 · Web Shell

Rule Metadata

Rule ID

9db37458-4df2-46a5-95ab-307e7f29e675

Status

test

Level

high

Type

Detection

Created

Mon Mar 15

Modified

Mon Jan 23

Author

Jose Rodriguez

Path

rules/windows/builtin/msexchange/win_exchange_set_oabvirtualdirectory_externalurl.yml

Raw Tags

attack.persistenceattack.t1505.003

View on GitHub