Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Back
Idfaf1a6ff-53b5-4f92-8c55-4b20e9957594
RulenameExchange OAB Virtual Directory Attribute Containing Potential Webshell
DescriptionThis query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.

This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
Version1.0.4
Arm templatefaf1a6ff-53b5-4f92-8c55-4b20e9957594.json
Deploy To Azure
SecurityEvent
// Look for specific Directory Service Changes and parse data
| where EventID == 5136
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion = array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
// Where changes relate to Exchange OAB
| extend ObjectClass = column_ifexists("ObjectClass", "")
| where ObjectClass =~ "msExchOABVirtualDirectory"
// Look for InternalHostName or ExternalHostName properties being changed
| extend AttributeLDAPDisplayName = column_ifexists("AttributeLDAPDisplayName", "")
| where AttributeLDAPDisplayName in~ ("msExchExternalHostName", "msExchInternalHostName")
// Look for suspected webshell activity
| extend AttributeValue = column_ifexists("AttributeValue", "")
| where AttributeValue has "script"
| project-rename LastSeen = TimeGenerated
| extend ObjectDN = column_ifexists("ObjectDN", "")
| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
| extend timestamp = LastSeen
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])

queryPeriod: 1h
query: |
  SecurityEvent
  // Look for specific Directory Service Changes and parse data
  | where EventID == 5136
  | extend EventData = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion = array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
  // Where changes relate to Exchange OAB
  | extend ObjectClass = column_ifexists("ObjectClass", "")
  | where ObjectClass =~ "msExchOABVirtualDirectory"
  // Look for InternalHostName or ExternalHostName properties being changed
  | extend AttributeLDAPDisplayName = column_ifexists("AttributeLDAPDisplayName", "")
  | where AttributeLDAPDisplayName in~ ("msExchExternalHostName", "msExchInternalHostName")
  // Look for suspected webshell activity
  | extend AttributeValue = column_ifexists("AttributeValue", "")
  | where AttributeValue has "script"
  | project-rename LastSeen = TimeGenerated
  | extend ObjectDN = column_ifexists("ObjectDN", "")
  | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
  | extend timestamp = LastSeen
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend AccountName = tostring(split(Account, @'\')[1]), AccountNTDomain = tostring(split(Account, @'\')[0])  
name: Exchange OAB Virtual Directory Attribute Containing Potential Webshell
entityMappings:
- fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountNTDomain
    identifier: NTDomain
  entityType: Account
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: DnsDomain
  entityType: Host
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
description: |
  'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.
  This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.'  
kind: Scheduled
version: 1.0.4
status: Available
severity: High
relevantTechniques:
- T1190
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: faf1a6ff-53b5-4f92-8c55-4b20e9957594