Adversary registers a malicious Microsoft Exchange transport agent DLL (.NET assembly), configures it via PowerShell or Exchange Management Shell, and persists code execution by manipulating email processing logic based on rules or headers.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Module Load (DC0016) | WinEventLog:Sysmon | EventCode=7 |
| Application Log Content (DC0038) | WinEventLog:Application | Exchange Transport Service loads unusual .NET assembly or errors upon transport agent execution |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| TimeWindow | May need tuning based on frequency of Exchange agent updates in environment. |
| AssemblyPath | Specific DLL paths used by Exchange for registered agents may vary between deployments. |
| CmdletInvocationThreshold | Tunable threshold for repeated use of transport agent management cmdlets. |
Adversary installs or modifies email content filters or transport scripts (e.g., Postfix milter, Sendmail milter, Exim filters) using shell access or configuration manipulation.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | auditd:SYSCALL | write |
| Application Log Content (DC0038) | linux:syslog | milter configuration updated, transport rule initialized, unexpected script execution |
| Process Creation (DC0032) | auditd:EXECVE | /usr/sbin/postfix, /usr/sbin/exim, /usr/sbin/sendmail |
| File Creation (DC0039) | auditd:SYSCALL | write |
| Module Load (DC0016) | linux:Sysmon | EventCode=7 |
| Field | Description |
|---|---|
| MailTransportScriptPath | Path to custom scripts or filters depends on mail daemon (e.g., /etc/postfix/milter/, /etc/exim4/). |
| UserContext | Mail agents may run under different service users (postfix, exim, etc.), which should be scoped. |
| ExecFrequencyThreshold | Frequency of filter script re-execution per daemon restart or reload may vary. |