Detectionhightest

Failed MSExchange Transport Agent Installation

Detects a failed installation of a Exchange Transport Agent

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Tobias MichalskiCreated Tue Jun 08Updated Tue Jul 12c7d16cae-aaf3-42e5-9c1c-fb8553faa6fawindows

Log Source

Windowsmsexchange-management

ProductWindows← raw: windows

Servicemsexchange-management← raw: msexchange-management

Detection Logic

detection:
    selection:
        EventID: 6
        Data|contains: 'Install-TransportAgent'
    condition: selection

False Positives

Legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this.

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa

Status

test

Level

high

Type

Detection

Created

Tue Jun 08

Modified

Tue Jul 12

Author

Path

rules/windows/builtin/msexchange/win_exchange_transportagent_failed.yml

Raw Tags

attack.persistenceattack.t1505.002