sigmaDRL-1.1from SigmaHQ/sigma

Suspicious ASPX File Drop by Exchange

Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1505.003

Rule sourcerules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml

title: Suspicious ASPX File Drop by Exchange
id: bd1212e5-78da-431e-95fa-c58e3237a8e6
related:
    - id: 6b269392-9eba-40b5-acb6-55c882b20ba6
      type: similar
status: test
description: Detects suspicious file type dropped by an Exchange component in IIS into a suspicious folder
references:
    - https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/
    - https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html
    - https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html
author: Florian Roth (Nextron Systems), MSTI (query, idea)
date: 2022-10-01
tags:
    - attack.persistence
    - attack.t1505.003
logsource:
    product: windows
    category: file_event
detection:
    selection:
        Image|endswith: '\w3wp.exe'
        CommandLine|contains: 'MSExchange'
        TargetFilename|contains:
            - 'FrontEnd\HttpProxy\'           # from GTSC and MSTI reports
            - '\inetpub\wwwroot\aspnet_client\' # from GTSC report
    selection_types:
        TargetFilename|endswith:
            - '.aspx'
            - '.asp'
            - '.ashx'
    condition: all of selection*
falsepositives:
    - Unknown
level: high