Skip to content

Hide Navigation Hide TOC

Certificate Request Export to Exchange Webserver (b7bc7038-638b-4ffd-880c-292c692209ef)

Detects a write of an Exchange CSR to an untypical directory or with aspx name suffix which can be used to place a webshell

Cluster A Galaxy A Cluster B Galaxy B Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Certificate Request Export to Exchange Webserver (b7bc7038-638b-4ffd-880c-292c692209ef) Sigma-Rules 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2