detection.wiki

MSExchange CmdletLogs

1 events across 1 channel

Event IDTitleChannel
6MSExchange Management

Event ID 6 —

#
Provider
MSExchange CmdletLogs
Channel
MSExchange Management
Level
Error

Fields #

NameDescription
Data

Example Event #

{
  "system": {
    "provider": "MSExchange CmdletLogs",
    "guid": "",
    "event_source_name": "",
    "event_id": 6,
    "version": 0,
    "level": 2,
    "task": 1,
    "opcode": 0,
    "keywords": 36028797018963968,
    "time_created": "2021-06-04T08:43:08.546589+00:00",
    "event_record_id": 7187,
    "correlation": {},
    "execution": {
      "process_id": 0,
      "thread_id": 0
    },
    "channel": "MSExchange Management",
    "computer": "exchange01.offsec.lan",
    "security": {
      "user_id": ""
    }
  },
  "event_data": {
    "Data": [
      "Enable-TransportAgent",
      "-Identity \"hack\"",
      "offsec.lan/OFFSEC-COMPANY/Administrators/admmig",
      "S-1-5-21-4230534742-2542757381-3142984815-1111",
      "S-1-5-21-4230534742-2542757381-3142984815-1111",
      "Remote-ManagementShell-Unknown",
      "8372 w3wp#MSExchangePowerShellAppPool",
      "",
      "54",
      "00:00:00.0700039",
      "View Entire Forest: 'False', Default Scope: 'offsec.lan', Configuration Domain Controller: 'rootdc1.offsec.lan', Preferred Global Catalog: 'rootdc1.offsec.lan', Preferred Domain Controllers: '{ rootdc1.offsec.lan }'",
      "System.ArgumentException: Transport agent \"hack\" isn't found.\r\nParameter name: Identity\r\n   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)\r\n   at Microsoft.Exchange.Management.AgentTasks.AgentBaseTask.SetAgentEnabled(String identity, Boolean enabled)\r\n   at Microsoft.Exchange.Management.AgentTasks.EnableTransportAgent.InternalProcessRecord()\r\n   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()\r\n   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)",
      "5",
      "",
      "NonLocalizedException",
      "",
      "",
      "False",
      "",
      "0 objects execution has been proxied to remote server.",
      "",
      "",
      "0",
      "ActivityId: 51b67026-685e-41b9-ad71-bc1e46db849b",
      "ServicePlan:;IsAdmin:True;",
      "",
      "en-US"
    ]
  },
  "message": ""
}

References #