Server Software Component: Transport Agent

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.[1][2] Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.[2] Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

ID: T1505.002
Sub-technique of:  T1505
Tactic: Persistence
Platforms: Linux, Windows
Permissions Required: Administrator, SYSTEM, root
Contributors: Christoffer Strömblad; ESET
Version: 1.0
Created: 12 December 2019
Last Modified: 18 October 2021

Procedure Examples

ID Name Description
S0395 LightNeuron

LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.[2]

Mitigations

ID Mitigation Description
M1047 Audit

Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.

M1045 Code Signing

Ensure all application component binaries are signed by the correct application developers.

M1026 Privileged Account Management

Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

Monitor for third-party application logging, messaging, and/or other artifacts that may abuse Microsoft transport agents to establish persistent access to systems. Consider monitoring application logs for abnormal behavior that may indicate suspicious installation of application software components.

DS0022 File File Creation

Consider monitoring file locations associated with the installation of new application software components such as paths from which applications typically load such extensible components.

References