T1505.002 Transport Agent Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1505.002 — Exchange Transport Agent persistence detection
// Transport agents are .NET DLLs registered in Exchange configuration
// Part 1: Detect new DLL drops in Exchange transport agent directories
let ExchangeAgentDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "\\Microsoft\\Exchange Server\\",
    "\\Exchange Server\\",
    "\\v15\\Bin\\",
    "\\TransportRoles\\",
    "\\FrontEnd\\TransportAgent\\"
  )
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("exsetup.exe", "updateexchangesetup.exe",
                                         "ExchangeSetup.exe", "msiexec.exe", "setup.exe")
| extend DetectionType = "Exchange_Transport_DLL_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Exchange transport pipeline process spawning OS commands
let ExchangeChildProc = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("EdgeTransport.exe", "MSExchangeTransport.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "certutil.exe", "bitsadmin.exe", "mshta.exe", "rundll32.exe", "net.exe")
| extend DetectionType = "Exchange_Transport_OS_Command"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Install-TransportAgent or New-TransportAgentConnector PowerShell commands
let ExchangeAgentPS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Install-TransportAgent", "Enable-TransportAgent",
                                    "New-TransportAgentConnector", "Set-TransportAgent")
| extend DetectionType = "Exchange_Transport_Agent_Install"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union ExchangeAgentDrop, ExchangeChildProc, ExchangeAgentPS
| sort by Timestamp desc

critical severity high confidence

Data Sources

File: File Creation Process: Process Creation Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Legitimate Exchange transport agent installations for anti-spam, DLP, or email archiving solutions (Mimecast, Proofpoint, Microsoft journaling agents)
Exchange cumulative update installation writing DLLs to Exchange directories
IT administrators deploying custom transport agents for compliance journaling or email routing
Third-party email security products that register as transport agents

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
    EventCode=11 AND
      match(TargetFilename, "(?i)(\\\\Exchange Server|\\\\TransportRoles|\\\\v15\\\\Bin)") AND
      match(TargetFilename, "(?i)\.dll$") AND
      NOT match(Image, "(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe"),
      "Exchange_Transport_DLL_Drop",
    EventCode=1 AND
      match(ParentImage, "(?i)(EdgeTransport|MSExchangeTransport)\.exe") AND
      match(Image, "(?i)(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe"),
      "Exchange_Transport_OS_Command",
    EventCode=1 AND
      match(Image, "(?i)(powershell|pwsh)\.exe") AND
      match(CommandLine, "(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)"),
      "Transport_Agent_Install_Command",
    true(), null()
  )
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, ParentImage
| sort - _time

critical severity high confidence

Data Sources

File: File Creation Process: Process Creation Sysmon Event ID 1, 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate anti-spam or DLP transport agent installations
Exchange cumulative update deployments
Compliance journaling agent installations by authorized IT staff

Elastic Security (EQL)

eql

any where
  (
    event.category == "file" and
    event.action in ("creation", "modification") and
    file.path : ("*\\Microsoft\\Exchange Server\\*", "*\\Exchange Server\\*", "*\\v15\\Bin\\*", "*\\TransportRoles\\*", "*\\FrontEnd\\TransportAgent\\*") and
    file.extension == "dll" and
    not process.name : ("exsetup.exe", "updateexchangesetup.exe", "exchangesetup.exe", "msiexec.exe", "setup.exe")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.parent.name : ("edgetransport.exe", "msexchangetransport.exe") and
    process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "certutil.exe", "bitsadmin.exe", "mshta.exe", "rundll32.exe", "net.exe")
  ) or
  (
    event.category == "process" and
    event.type == "start" and
    process.name : ("powershell.exe", "pwsh.exe") and
    process.command_line : ("*Install-TransportAgent*", "*Enable-TransportAgent*", "*New-TransportAgentConnector*", "*Set-TransportAgent*")
  )

critical severity high confidence

Data Sources

Elastic Endpoint Security (endpoint.events.file) Elastic Endpoint Security (endpoint.events.process) Winlogbeat with Sysmon (winlogbeat-*)

Required Tables

logs-endpoint.events.file-* logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate Exchange Cumulative Update (CU) or Security Update installations dropping DLLs to transport directories — exsetup.exe is excluded but custom wrapper scripts may trigger this
Third-party Exchange transport agents from anti-spam or DLP vendors (e.g., Trend Micro ScanMail for Exchange, Proofpoint Email Protection) that register their own DLLs and run Install-TransportAgent during initial setup
Exchange hybrid connector configuration or migration tooling that programmatically installs transport agents using PowerShell automation under a service account

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  "sourceip",
  "destinationip",
  username,
  "hostname",
  "Image" AS process_image,
  "CommandLine" AS command_line,
  "ParentImage" AS parent_image,
  "TargetFilename" AS target_filename,
  CASE
    WHEN "EventID" = '11'
      AND ("TargetFilename" ILIKE '%\\Exchange Server\\%'
           OR "TargetFilename" ILIKE '%\\TransportRoles\\%'
           OR "TargetFilename" ILIKE '%\\v15\\Bin\\%'
           OR "TargetFilename" ILIKE '%\\FrontEnd\\TransportAgent\\%')
      AND "TargetFilename" ILIKE '%.dll'
      AND "Image" NOT ILIKE '%exsetup.exe'
      AND "Image" NOT ILIKE '%updateexchangesetup.exe'
      AND "Image" NOT ILIKE '%msiexec.exe'
      AND "Image" NOT ILIKE '%setup.exe'
      THEN 'Exchange_Transport_DLL_Drop'
    WHEN "EventID" = '1'
      AND ("ParentImage" ILIKE '%EdgeTransport.exe'
           OR "ParentImage" ILIKE '%MSExchangeTransport.exe')
      AND ("Image" ILIKE '%\\cmd.exe'
           OR "Image" ILIKE '%\\powershell.exe'
           OR "Image" ILIKE '%\\wscript.exe'
           OR "Image" ILIKE '%\\cscript.exe'
           OR "Image" ILIKE '%\\certutil.exe'
           OR "Image" ILIKE '%\\bitsadmin.exe'
           OR "Image" ILIKE '%\\mshta.exe'
           OR "Image" ILIKE '%\\rundll32.exe'
           OR "Image" ILIKE '%\\net.exe')
      THEN 'Exchange_Transport_OS_Command'
    WHEN "EventID" = '1'
      AND ("Image" ILIKE '%\\powershell.exe'
           OR "Image" ILIKE '%\\pwsh.exe')
      AND ("CommandLine" ILIKE '%Install-TransportAgent%'
           OR "CommandLine" ILIKE '%Enable-TransportAgent%'
           OR "CommandLine" ILIKE '%New-TransportAgentConnector%'
           OR "CommandLine" ILIKE '%Set-TransportAgent%')
      THEN 'Transport_Agent_Install_Command'
    ELSE NULL
  END AS detection_type
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
  AND devicetime > (NOW() - 86400000)
  AND (
    (
      "EventID" = '11'
      AND ("TargetFilename" ILIKE '%\\Exchange Server\\%' OR "TargetFilename" ILIKE '%\\TransportRoles\\%' OR "TargetFilename" ILIKE '%\\v15\\Bin\\%')
      AND "TargetFilename" ILIKE '%.dll'
    ) OR (
      "EventID" = '1'
      AND ("ParentImage" ILIKE '%EdgeTransport.exe' OR "ParentImage" ILIKE '%MSExchangeTransport.exe')
    ) OR (
      "EventID" = '1'
      AND ("Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe')
      AND ("CommandLine" ILIKE '%Install-TransportAgent%' OR "CommandLine" ILIKE '%Enable-TransportAgent%' OR "CommandLine" ILIKE '%New-TransportAgentConnector%' OR "CommandLine" ILIKE '%Set-TransportAgent%')
    )
  )
  AND detection_type IS NOT NULL
ORDER BY devicetime DESC

critical severity high confidence

Data Sources

Sysmon DSM (Microsoft-Windows-Sysmon/Operational) Microsoft Windows Security Event Log DSM QRadar Universal DSM with custom Sysmon property mappings

Required Tables

events

False Positives

Exchange server patching via automated deployment tools (SCCM, Ansible) that invoke setup wrappers not matching the excluded installer process names — custom wrapper scripts calling msiexec indirectly will appear as unsigned DLL writes
Security scanning products (e.g., CrowdStrike Falcon sensor, Carbon Black) reading Exchange transport DLL paths during scheduled scans may generate EventID 11 entries for file access on some Sysmon configurations
Exchange administrators legitimately registering approved third-party transport agents via remote PowerShell sessions — the Install-TransportAgent cmdlet is the expected installation mechanism for any transport agent

Sumo Logic CSE

sql

(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*winevent*)
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<User>*</User>" as user nodrop
| parse "<Computer>*</Computer>" as computer nodrop
| where event_id in ("1", "11")
| where (
    (event_id == "11"
      and (target_filename matches "*\\Exchange Server\\*"
           or target_filename matches "*\\TransportRoles\\*"
           or target_filename matches "*\\v15\\Bin\\*"
           or target_filename matches "*\\FrontEnd\\TransportAgent\\*")
      and target_filename matches "*.dll"
      and !(process_image matches "*exsetup.exe"
            or process_image matches "*updateexchangesetup.exe"
            or process_image matches "*ExchangeSetup.exe"
            or process_image matches "*msiexec.exe"
            or process_image matches "*setup.exe"))
    or
    (event_id == "1"
      and (parent_image matches "*EdgeTransport.exe"
           or parent_image matches "*MSExchangeTransport.exe")
      and (process_image matches "*\\cmd.exe"
           or process_image matches "*\\powershell.exe"
           or process_image matches "*\\wscript.exe"
           or process_image matches "*\\cscript.exe"
           or process_image matches "*\\certutil.exe"
           or process_image matches "*\\bitsadmin.exe"
           or process_image matches "*\\mshta.exe"
           or process_image matches "*\\rundll32.exe"
           or process_image matches "*\\net.exe"))
    or
    (event_id == "1"
      and (process_image matches "*\\powershell.exe"
           or process_image matches "*\\pwsh.exe")
      and (command_line matches "*Install-TransportAgent*"
           or command_line matches "*Enable-TransportAgent*"
           or command_line matches "*New-TransportAgentConnector*"
           or command_line matches "*Set-TransportAgent*"))
  )
| eval detection_type = if(event_id == "11"
      and (target_filename matches "*\\Exchange Server\\*" or target_filename matches "*\\TransportRoles\\*" or target_filename matches "*\\v15\\Bin\\*")
      and target_filename matches "*.dll",
    "Exchange_Transport_DLL_Drop",
    if(event_id == "1"
        and (parent_image matches "*EdgeTransport.exe" or parent_image matches "*MSExchangeTransport.exe"),
      "Exchange_Transport_OS_Command",
      "Transport_Agent_Install_Command"))
| fields _messageTime, computer, user, detection_type, process_image, command_line, target_filename, parent_image
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Event Log Collector (Sysmon/Operational) Sumo Logic Installed Collector with Windows Event Source Cloud Syslog Source forwarding Sysmon events

Required Tables

_sourceCategory=*windows*sysmon* _sourceCategory=*endpoint*

False Positives

Initial deployment of legitimate Exchange-integrated security products (anti-spam, email archiving, DLP) that use Install-TransportAgent during their setup wizard — these are indistinguishable from malicious installs without prior change-management context
Exchange server in-place upgrade processes that may run exsetup variants not exactly matching the excluded names, or that invoke transport service restart causing EdgeTransport.exe to launch child processes for health checks
Automated certificate renewal or TLS reconfiguration scripts invoked from Exchange transport service context that spawn PowerShell or cmd.exe for configuration tasks unrelated to agent installation

Google Chronicle / SecOps

yaral

rule exchange_transport_agent_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Exchange transport agent (T1505.002) persistence: DLL drops to transport directories, OS commands from transport processes, or PowerShell agent installation cmdlets"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.002"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1505/002/"

  events:
    (
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path,
        `(?i)(\\Microsoft\\Exchange Server\\|\\Exchange Server\\|\\v15\\Bin\\|\\TransportRoles\\|\\FrontEnd\\TransportAgent\\)`) and
      re.regex($e.target.file.full_path, `(?i)\.dll$`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path,
        `(?i)(EdgeTransport|MSExchangeTransport)\.exe$`) and
      re.regex($e.target.process.file.full_path,
        `(?i)(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
      re.regex($e.target.process.command_line,
        `(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)`)
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Google Chronicle UDM (Windows endpoints via Sysmon or EDR forwarders) Chronicle Ingestion API with Windows Event Log parser Chronicle Forwarder with Sysmon XML parser

Required Tables

UDM events (FILE_CREATION, PROCESS_LAUNCH)

False Positives

Legitimate Exchange transport agent software vendors (e.g., GFI MailEssentials, Hornetsecurity) deploying updates that write DLLs to Exchange transport directories outside of the standard Exchange setup process
Exchange hybrid deployment wizard or Microsoft Exchange Hybrid Configuration Tool spawning PowerShell with Set-TransportAgent or similar cmdlets during hybrid connector configuration
Automated Exchange health monitoring or management scripts running under the Exchange Trusted Subsystem that execute PowerShell commands as child processes of transport service components

CrowdStrike LogScale (CQL)

cql

#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|FileWritten)$/
| case {
    #event_simpleName = "FileWritten"
      FilePath = /(?i)(\\Microsoft\\Exchange Server\\|\\Exchange Server\\|\\v15\\Bin\\|\\TransportRoles\\|\\FrontEnd\\TransportAgent\\)/
      FileName = /(?i)\.dll$/
      ImageFileName != /(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe$/
      | detection_type := "Exchange_Transport_DLL_Drop" ;
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
      ParentBaseFileName = /(?i)^(EdgeTransport|MSExchangeTransport)\.exe$/
      FileName = /(?i)^(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe$/
      | detection_type := "Exchange_Transport_OS_Command" ;
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
      FileName = /(?i)^(powershell|pwsh)\.exe$/
      CommandLine = /(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)/
      | detection_type := "Transport_Agent_Install_Command" ;
  }
| groupBy(
    [ComputerName, UserName, detection_type, FileName, ParentBaseFileName],
    function=[
      collect([CommandLine, FilePath], limit=10),
      count(as=event_count)
    ]
  )
| sort(event_count, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon Sensor (Falcon Data Replicator or Event Search) LogScale Falcon Event Stream — ProcessRollup2, SyntheticProcessRollup2 LogScale Falcon Event Stream — FileWritten

Required Tables

ProcessRollup2 SyntheticProcessRollup2 FileWritten

False Positives

Exchange server monthly patching cycles where the Falcon sensor captures DLL writes from the Exchange CU installer using a wrapper or SCCM package that does not match the excluded installer process names exactly
CrowdStrike-managed detection exclusions for known Exchange transport agent vendors may not cover all legitimate products — security email gateway integrations writing agent DLLs during installation will trigger the FileWritten detection branch
Exchange Management Shell remoting sessions where an administrator runs Install-TransportAgent interactively or via a runbook — CommandLine will contain the cmdlet name identically to a malicious invocation without additional context from the calling session

Transport Agent

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Persistence

Popular Detections