Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems), MSTI (query, idea)Created Sat Oct 01bd1212e5-78da-431e-95fa-c58e3237a8e6windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
        TargetFilename|contains:
            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
    condition: all of selection*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
microsoft.com
2
Resolving title…
gteltsc.vn
3
Resolving title…
en.gteltsc.vn
MITRE ATT&CK
Related Rules
SimilarDetectionmedium

Suspicious File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
bd1212e5-78da-431e-95fa-c58e3237a8e6
Status
test
Level
high
Type
Detection
Created
Sat Oct 01
Author
Florian Roth (Nextron Systems), MSTI (query, idea)
Path
rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml
Raw Tags
attack.persistenceattack.t1505.003
View on GitHub