KQL Search

Query Details

HomeAI ToolsDevice Query

Security Event Exchange OAB Virtual Directory Attribute Containing Potential Webshell

Query

SecurityEvent
| where EventID == 5136
    and EventData has_all ("msExchOABVirtualDirectory", "script")
    and EventData has_any ("msExchExternalHostName", "msExchInternalHostName")
| project
    TimeGenerated,
    Computer,
    Account,
    AccountType,
    SubjectLogonId,
    Activity,
    OperationType,
    EventData
| mv-apply Auxiliar = parse_xml(EventData)["EventData"]["Data"] on (
    summarize BagToUnpack = make_bag(bag_pack(tostring(Auxiliar["@Name"]), tostring(Auxiliar["#text"])))
    )
| evaluate bag_unpack(BagToUnpack, OutputColumnPrefix = "EventData_", columnsConflict="keep_source")
| where column_ifexists("EventData_ObjectClass", "") has "msExchOABVirtualDirectory"
    and column_ifexists("EventData_AttributeLDAPDisplayName", "") has_any ("msExchExternalHostName", "msExchInternalHostName")
    and column_ifexists("EventData_AttributeValue", "") has "script"
| project-reorder
    TimeGenerated,
    Computer,
    Account,
    AccountType,
    SubjectLogonId,
    Activity,
    OperationType,
    EventData,
    EventData_*

Explanation

The query is filtering SecurityEvent data to find events with EventID 5136, where the EventData contains both "msExchOABVirtualDirectory" and "script", and the EventData also contains either "msExchExternalHostName" or "msExchInternalHostName". The query then projects specific columns from the filtered data and applies a function to parse XML data in the EventData column. It then evaluates and unpacks the parsed XML data into separate columns. The query further filters the data to only include rows where the EventData_ObjectClass column contains "msExchOABVirtualDirectory", the EventData_AttributeLDAPDisplayName column contains either "msExchExternalHostName" or "msExchInternalHostName", and the EventData_AttributeValue column contains "script". Finally, the query reorders the columns and projects the desired columns along with any additional columns created during the parsing and unpacking process.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: February 15, 2023

Tables

SecurityEvent

Keywords

SecurityEvent,EventID,EventData,msExchOABVirtualDirectory,script,msExchExternalHostName,msExchInternalHostName,TimeGenerated,Computer,Account,AccountType,SubjectLogonId,Activity,OperationType,EventData_ObjectClass,EventData_AttributeLDAPDisplayName,EventData_AttributeValue,EventData_*

Operators

| wherehas_allhas_anyprojectmv-applyparse_xmlsummarizeBagToUnpackmake_bagbag_packtostringevaluatebag_unpackOutputColumnPrefixcolumnsConflictcolumn_ifexistshasproject-reorder

Actions