Detection rules › Kusto Query Language
Exchange OAB Virtual Directory Attribute Containing Potential Webshell
'This query uses Windows Event ID 5136 in order to detect potential webshell deployment by exploitation of CVE-2021-27065. This query looks for changes to the InternalHostName or ExternalHostName properties of Exchange OAB Virtual Directory objects in AD Directory Services where the new objects contain potential webshell objects.'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 5136 | A directory service object was modified. |
Stages and Predicates
Stage 1: source
SecurityEvent
Stage 2: where
EventID eq "5136"
Stage 3: extend
Stage 4: mv-expand
Stage 5: evaluate
Stage 6: extend
Stage 7: evaluate
Stage 8: extend
Stage 9: where
ObjectClass eq "msExchOABVirtualDirectory"
Stage 10: extend
Stage 11: where
AttributeLDAPDisplayName in ["msExchExternalHostName", "msExchInternalHostName"]
Stage 12: extend
Stage 13: where
AttributeValue match "script"
Stage 14: project-rename
Stage 15: extend
Stage 16: project-reorder
Stage 17: extend
Stage 18: extend
Stage 19: extend
Stage 20: extend
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
AttributeLDAPDisplayName | in |
|
AttributeValue | match |
|
EventID | eq |
|
ObjectClass | eq |
|