Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange Server Suspicious File Downloads

Back
Id8955c0fb-3408-47b0-a3b9-a1faec41e427
RulenameExchange Server Suspicious File Downloads.
DescriptionThis query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells.

This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.

This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel

can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs
SeverityMedium
TacticsInitialAccess
TechniquesT1190
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
Version1.0.1
Arm template8955c0fb-3408-47b0-a3b9-a1faec41e427.json
Deploy To Azure
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type
//| where InteractiveFile =~ "Yes"
| extend timestamp = TimeGenerated, HostCustomEntity = Computer
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: HostCustomEntity
  entityType: Host
kind: Scheduled
query: |
  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
  http_proxy_oab_CL
  | where RawData contains "Download failed and temporary file"
  | extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
  | extend Extension = strcat(".",split(File, ".")[-1])
  | extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
  // Uncomment the following line to alert only on interactive file download type
  //| where InteractiveFile =~ "Yes"
  | extend timestamp = TimeGenerated, HostCustomEntity = Computer  
triggerOperator: gt
version: 1.0.1
queryPeriod: 1d
name: Exchange Server Suspicious File Downloads.
metadata:
  categories:
    domains:
    - Application
  support:
    tier: Community
  source:
    kind: Community
  author:
    name: petebryan
severity: Medium
relevantTechniques:
- T1190
requiredDataConnectors: []
triggerThreshold: 0
tactics:
- InitialAccess
queryFrequency: 1d
id: 8955c0fb-3408-47b0-a3b9-a1faec41e427
description: |
  'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. 
  This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
  This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel
  can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8955c0fb-3408-47b0-a3b9-a1faec41e427')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8955c0fb-3408-47b0-a3b9-a1faec41e427')]",
      "properties": {
        "alertRuleTemplateName": "8955c0fb-3408-47b0-a3b9-a1faec41e427",
        "customDetails": null,
        "description": "'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nThis log is commonly found at C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\n",
        "displayName": "Exchange Server Suspicious File Downloads.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml",
        "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend timestamp = TimeGenerated, HostCustomEntity = Computer\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}