Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange Server Suspicious File Downloads

Back
Id8955c0fb-3408-47b0-a3b9-a1faec41e427
RulenameExchange Server Suspicious File Downloads.
DescriptionThis query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells.

This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query.

This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel

can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs
SeverityMedium
TacticsInitialAccess
TechniquesT1190
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
Version1.0.2
Arm template8955c0fb-3408-47b0-a3b9-a1faec41e427.json
Deploy To Azure
let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
http_proxy_oab_CL
| where RawData contains "Download failed and temporary file"
| extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
| extend Extension = strcat(".",split(File, ".")[-1])
| extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
// Uncomment the following line to alert only on interactive file download type
//| where InteractiveFile =~ "Yes"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
triggerOperator: gt
tactics:
- InitialAccess
queryPeriod: 1d
kind: Scheduled
relevantTechniques:
- T1190
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml
queryFrequency: 1d
description: |
  'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. 
  This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
  This log is commonly found at C:\Program Files\Microsoft\Exchange Server\V15\Logging\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel
  can be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs  
requiredDataConnectors: []
version: 1.0.2
triggerThreshold: 0
severity: Medium
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Application
  source:
    kind: Community
  support:
    tier: Community
id: 8955c0fb-3408-47b0-a3b9-a1faec41e427
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
name: Exchange Server Suspicious File Downloads.
query: |
  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
  http_proxy_oab_CL
  | where RawData contains "Download failed and temporary file"
  | extend File = extract("([^\\\\]*)(\\\\[^']*)",2,RawData)
  | extend Extension = strcat(".",split(File, ".")[-1])
  | extend InteractiveFile = iif(Extension in (scriptExtensions), "Yes", "No")
  // Uncomment the following line to alert only on interactive file download type
  //| where InteractiveFile =~ "Yes"
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/8955c0fb-3408-47b0-a3b9-a1faec41e427')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/8955c0fb-3408-47b0-a3b9-a1faec41e427')]",
      "properties": {
        "alertRuleTemplateName": "8955c0fb-3408-47b0-a3b9-a1faec41e427",
        "customDetails": null,
        "description": "'This query looks for messages related to file downloads of suspicious file types on an Exchange Server. This could indicate attempted deployment of webshells. \nThis query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. \nThis log is commonly found at C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Logging\\OABGeneratorLog on the Exchange server. Details on collecting custom logs into Sentinel\ncan be found here: https://learn.microsoft.com/azure/sentinel/connect-custom-logs\n",
        "displayName": "Exchange Server Suspicious File Downloads.",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "DnsDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/http_proxy_oab_CL/ExchagngeSuspiciousFileDownloads.yaml",
        "query": "let scriptExtensions = dynamic([\".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\"]);\nhttp_proxy_oab_CL\n| where RawData contains \"Download failed and temporary file\"\n| extend File = extract(\"([^\\\\\\\\]*)(\\\\\\\\[^']*)\",2,RawData)\n| extend Extension = strcat(\".\",split(File, \".\")[-1])\n| extend InteractiveFile = iif(Extension in (scriptExtensions), \"Yes\", \"No\")\n// Uncomment the following line to alert only on interactive file download type\n//| where InteractiveFile =~ \"Yes\"\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}