16 Exchange Transport Agent Loading Module loading event from Microsoft-Windows.NET assembly, that is loaded by EdgeTransport.exe process 15 Exchange Transport Agent Loading Transport Agent – it isn’tĭLL, it is.Search for Exchange Transport Agent configuration file changes: Channel:"Microsoft-Windows-Sysmon/Operational" AND EventID:11 AND TargetFilename:"*\\TransportRoles\\Shared\\nfig” AND -Image:”*\\ExchangeSetup\\ExSetupUI.exe” 14 Exchange Transport Agent Configuration File Change Let’s hunt it!.13 Exchange Transport Agent Configuration File Change.In order to hide his activity, an adversary can directly modify this file without usage of any PowerShell cmdlets. Manipulate the configuration file nfig located at %ExchangeInstallPath%\TransportRoles\Shared. 12 Exchange Transport Agent Configuration File Transport Agent management cmdlets.11 Exchange Transport Agent Installation Artifacts Let’s hunt it! Searchįor usage of “Install-TransportAgent” and “Enable-TransportAgent” cmdlets in the PowerShell event logs: ( Channel:"Microsoft-Windows-PowerShell/Operational" AND EventID:4104 AND ScriptBlockText.keyword:(Enable- TransportAgent* OR Install-TransportAgent*) ) OR ( Channel:"Windows PowerShell" AND EventID:800 AND Message:("*Enable-TransportAgent*" OR "*Install-TransportAgent*") ).
To find the signs of usage “Install-TransportAgent” and “Enable-TransportAgent” in the PowerShell events log (“Windows PowerShell” and “Microsoft-Windows-PowerShell/Operational”):
NET assembly code on the Exchange server. It allows to perform the next operations: LightNeuron is the first publicly known malware to use a malicious Microsoft Exchange Transport Agent. LightNeuron – Turla’s backdoor specifically designed to target Microsoft Exchange mail servers. Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. Transport Agent Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.
Transport agents have full access to all e-mail messages that they encounter.
SMTP events give transport agents access to messages at specific points during the SMTP conversation and during routing of messages through the organization. These events are triggered as messages move through the transport pipeline. DeliveryAgent Transport agents use SMTP events.The Microsoft Exchange Server Transport Agents SDK allows third parties to implement the following predefined classes of transport agents: Software on an Exchange server which can then process email messages that pass through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.