detection.wiki

Detection rules › Sigma

Exchange PowerShell Snap-Ins Usage

Severity
high
Author
FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
Source
upstream

Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27

MITRE ATT&CK coverage

TacticTechniques
ExecutionT1059.001 Command and Scripting Interpreter: PowerShell
CollectionT1114 Email Collection

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: all of selection_img

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: PowerShell.EXE
OriginalFileName: pwsh.dll

Stage 2: all of selection_cli

CommandLine|contains: Add-PSSnapin

Stage 3: all of selection_module

or:
CommandLine|contains: 'Microsoft.Exchange.Management.PowerShell.SnapIn'
CommandLine|contains: 'Microsoft.Exchange.Powershell.Snapin'

Stage 4: not 1 of filter_msiexec

CommandLine|contains: '$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null'
ParentImage: 'C:\Windows\System32\msiexec.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
CommandLinematch
  • $exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null
  • Add-PSSnapin corpus 2 (sigma 2)
  • Microsoft.Exchange.Management.PowerShell.SnapIn
  • Microsoft.Exchange.Powershell.Snapin
Imageends_with
  • \powershell.exe corpus 143 (sigma 143)
  • \pwsh.exe corpus 140 (sigma 140)
OriginalFileNameeq
  • PowerShell.EXE corpus 64 (sigma 60, splunk 4)
  • pwsh.dll corpus 72 (sigma 68, splunk 4)
ParentImageeq
  • C:\Windows\System32\msiexec.exe corpus 3 (sigma 3)