Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Back
Idfaf1a6ff-53b5-4f92-8c55-4b20e9957594
RulenameExchange OAB Virtual Directory Attribute Containing Potential Webshell
DescriptionThis query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.

This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services

where the new objects contain potential webshell objects.
SeverityHigh
TacticsInitialAccess
TechniquesT1190
Required data connectorsSecurityEvents
WindowsSecurityEvents
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
Version1.0.2
Arm templatefaf1a6ff-53b5-4f92-8c55-4b20e9957594.json
Deploy To Azure
SecurityEvent
// Look for specific Directory Service Changes and parse data
| where EventID == 5136
| extend EventData = parse_xml(EventData).EventData.Data
| mv-expand bagexpansion = array EventData
| evaluate bag_unpack(EventData)
| extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
// Where changes relate to Exchange OAB
| extend ObjectClass = column_ifexists("ObjectClass", "")
| where ObjectClass =~ "msExchOABVirtualDirectory"
// Look for InternalHostName or ExternalHostName properties being changed
| extend AttributeLDAPDisplayName = column_ifexists("AttributeLDAPDisplayName", "")
| where AttributeLDAPDisplayName in~ ("msExchExternalHostName", "msExchInternalHostName")
// Look for suspected webshell activity
| extend AttributeValue = column_ifexists("AttributeValue", "")
| where AttributeValue has "script"
| project-rename LastSeen = TimeGenerated
| extend ObjectDN = column_ifexists("ObjectDN", "")
| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer
queryFrequency: 1h
triggerThreshold: 0
name: Exchange OAB Virtual Directory Attribute Containing Potential Webshell
version: 1.0.2
id: faf1a6ff-53b5-4f92-8c55-4b20e9957594
status: Available
tactics:
- InitialAccess
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: FullName
- entityType: Host
  fieldMappings:
  - columnName: HostCustomEntity
    identifier: FullName
queryPeriod: 1h
description: |
  'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.
  This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services
  where the new objects contain potential webshell objects.'  
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
query: |
  SecurityEvent
  // Look for specific Directory Service Changes and parse data
  | where EventID == 5136
  | extend EventData = parse_xml(EventData).EventData.Data
  | mv-expand bagexpansion = array EventData
  | evaluate bag_unpack(EventData)
  | extend Key = tostring(column_ifexists('@Name', "")), Value = column_ifexists('#text', "")
  | evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)
  // Where changes relate to Exchange OAB
  | extend ObjectClass = column_ifexists("ObjectClass", "")
  | where ObjectClass =~ "msExchOABVirtualDirectory"
  // Look for InternalHostName or ExternalHostName properties being changed
  | extend AttributeLDAPDisplayName = column_ifexists("AttributeLDAPDisplayName", "")
  | where AttributeLDAPDisplayName in~ ("msExchExternalHostName", "msExchInternalHostName")
  // Look for suspected webshell activity
  | extend AttributeValue = column_ifexists("AttributeValue", "")
  | where AttributeValue has "script"
  | project-rename LastSeen = TimeGenerated
  | extend ObjectDN = column_ifexists("ObjectDN", "")
  | project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue
  | extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer  
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml
triggerOperator: gt
relevantTechniques:
- T1190
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/faf1a6ff-53b5-4f92-8c55-4b20e9957594')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/faf1a6ff-53b5-4f92-8c55-4b20e9957594')]",
      "properties": {
        "alertRuleTemplateName": "faf1a6ff-53b5-4f92-8c55-4b20e9957594",
        "customDetails": null,
        "description": "'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065.\nThis query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services\nwhere the new objects contain potential webshell objects.'\n",
        "displayName": "Exchange OAB Virtual Directory Attribute Containing Potential Webshell",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "HostCustomEntity",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows Security Events/Analytic Rules/ExchangeOABVirtualDirectoryAttributeContainingPotentialWebshell.yaml",
        "query": "SecurityEvent\n// Look for specific Directory Service Changes and parse data\n| where EventID == 5136\n| extend EventData = parse_xml(EventData).EventData.Data\n| mv-expand bagexpansion = array EventData\n| evaluate bag_unpack(EventData)\n| extend Key = tostring(column_ifexists('@Name', \"\")), Value = column_ifexists('#text', \"\")\n| evaluate pivot(Key, any(Value),TimeGenerated, EventID, Computer, Account, AccountType, EventSourceName, Activity, SubjectAccount)\n// Where changes relate to Exchange OAB\n| extend ObjectClass = column_ifexists(\"ObjectClass\", \"\")\n| where ObjectClass =~ \"msExchOABVirtualDirectory\"\n// Look for InternalHostName or ExternalHostName properties being changed\n| extend AttributeLDAPDisplayName = column_ifexists(\"AttributeLDAPDisplayName\", \"\")\n| where AttributeLDAPDisplayName in~ (\"msExchExternalHostName\", \"msExchInternalHostName\")\n// Look for suspected webshell activity\n| extend AttributeValue = column_ifexists(\"AttributeValue\", \"\")\n| where AttributeValue has \"script\"\n| project-rename LastSeen = TimeGenerated\n| extend ObjectDN = column_ifexists(\"ObjectDN\", \"\")\n| project-reorder LastSeen, Computer, Account, ObjectDN, AttributeLDAPDisplayName, AttributeValue\n| extend timestamp = LastSeen, AccountCustomEntity = Account, HostCustomEntity = Computer\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}