Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectioncriticaltest

Certificate Request Export to Exchange Webserver

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Max Altgelt (Nextron Systems)Created Mon Aug 23Updated Mon Jan 23b7bc7038-638b-4ffd-880c-292c692209efwindows
Log Source
Windowsmsexchange-management
ProductWindows← raw: windows
Servicemsexchange-management← raw: msexchange-management
Detection Logic
Detection Logic2 selectors
detection:
    keywords_export_command:
        '|all':
            - 'New-ExchangeCertificate'
            - ' -GenerateRequest'
            - ' -BinaryEncoded'
            - ' -RequestFile'
    keywords_export_params:
        - '\\\\localhost\\C$'
        - '\\\\127.0.0.1\\C$'
        - 'C:\\inetpub'
        - '.aspx'
    condition: keywords_export_command and keywords_export_params
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
twitter.com
MITRE ATT&CK
Rule Metadata
Rule ID
b7bc7038-638b-4ffd-880c-292c692209ef
Status
test
Level
critical
Type
Detection
Created
Mon Aug 23
Modified
Mon Jan 23
Author
Max Altgelt (Nextron Systems)
Path
rules/windows/builtin/msexchange/win_exchange_proxyshell_certificate_generation.yml
Raw Tags
attack.persistenceattack.t1505.003
View on GitHub