T1505.002 Google Chronicle · YARA-L

Detect Transport Agent in Google Chronicle

Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.002 Transport Agent
Canonical reference
https://attack.mitre.org/techniques/T1505/002/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule exchange_transport_agent_persistence {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Exchange transport agent (T1505.002) persistence: DLL drops to transport directories, OS commands from transport processes, or PowerShell agent installation cmdlets"
    mitre_attack_tactic = "Persistence"
    mitre_attack_technique = "T1505.002"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1505/002/"

  events:
    (
      $e.metadata.event_type = "FILE_CREATION" and
      re.regex($e.target.file.full_path,
        `(?i)(\\Microsoft\\Exchange Server\\|\\Exchange Server\\|\\v15\\Bin\\|\\TransportRoles\\|\\FrontEnd\\TransportAgent\\)`) and
      re.regex($e.target.file.full_path, `(?i)\.dll$`) and
      not re.regex($e.principal.process.file.full_path,
        `(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path,
        `(?i)(EdgeTransport|MSExchangeTransport)\.exe$`) and
      re.regex($e.target.process.file.full_path,
        `(?i)(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe$`)
    ) or
    (
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`) and
      re.regex($e.target.process.command_line,
        `(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)`)
    )

  condition:
    $e
}
critical severity high confidence

Chronicle YARA-L 2.0 rule detecting Exchange transport agent persistence using UDM normalized events. Matches FILE_CREATION events where DLLs are written to Exchange transport paths by non-installer processes, PROCESS_LAUNCH events where EdgeTransport.exe or MSExchangeTransport.exe spawn interpreter or LOLBIN processes, and PROCESS_LAUNCH events where PowerShell executes transport agent management cmdlets. Covers LightNeuron implant deployment patterns documented by ESET.

Data Sources

Google Chronicle UDM (Windows endpoints via Sysmon or EDR forwarders)Chronicle Ingestion API with Windows Event Log parserChronicle Forwarder with Sysmon XML parser

Required Tables

UDM events (FILE_CREATION, PROCESS_LAUNCH)

False Positives & Tuning

  • Legitimate Exchange transport agent software vendors (e.g., GFI MailEssentials, Hornetsecurity) deploying updates that write DLLs to Exchange transport directories outside of the standard Exchange setup process
  • Exchange hybrid deployment wizard or Microsoft Exchange Hybrid Configuration Tool spawning PowerShell with Set-TransportAgent or similar cmdlets during hybrid connector configuration
  • Automated Exchange health monitoring or management scripts running under the Exchange Trusted Subsystem that execute PowerShell commands as child processes of transport service components
Download portable Sigma rule (.yml)

Other platforms for T1505.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Installed Transport Agents (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.

  2. Test 2Simulate Transport Agent DLL Drop (File Write Test)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.

  3. Test 3Check Exchange Admin Audit Log for Transport Agent Commands

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.

Last updated: 2026-04-19 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1114.002Remote Email CollectionT1071.003Mail ProtocolsT1027.001Binary PaddingT1078Valid Accounts

Same Tactic: Persistence

Popular Detections