Detection rules › Splunk
MS Exchange Mailbox Replication service writing Active Server Pages
The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1133 External Remote Services, T1190 Exploit Public-Facing Application |
| Persistence | T1133 External Remote Services, T1505.003 Server Software Component: Web Shell |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
| Sysmon | 11 | FileCreate |
Stages and Predicates
Stage 1: tstats
tstats WHERE Processes.process_name="MSExchangeMailboxReplication.exe" BY _time, Processes.process_id, Processes.process_name, Processes.process_guid, Processes.dest
Stage 2: search
search
Stage 3: join
join type=inner (...)
Stage 4: dedup
dedup file_create_time
Stage 5: table
table dest, file_create_time, file_name, file_path, process_name
Stage 6: search
search `macro`
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
Filesystem.file_name | eq |
|
Filesystem.file_path | in |
|
Processes.process_name | eq |
|