Detect Transport Agent in Elastic Security
Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.002 Transport Agent
- Canonical reference
- https://attack.mitre.org/techniques/T1505/002/
Elastic Detection Query
any where
(
event.category == "file" and
event.action in ("creation", "modification") and
file.path : ("*\\Microsoft\\Exchange Server\\*", "*\\Exchange Server\\*", "*\\v15\\Bin\\*", "*\\TransportRoles\\*", "*\\FrontEnd\\TransportAgent\\*") and
file.extension == "dll" and
not process.name : ("exsetup.exe", "updateexchangesetup.exe", "exchangesetup.exe", "msiexec.exe", "setup.exe")
) or
(
event.category == "process" and
event.type == "start" and
process.parent.name : ("edgetransport.exe", "msexchangetransport.exe") and
process.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "certutil.exe", "bitsadmin.exe", "mshta.exe", "rundll32.exe", "net.exe")
) or
(
event.category == "process" and
event.type == "start" and
process.name : ("powershell.exe", "pwsh.exe") and
process.command_line : ("*Install-TransportAgent*", "*Enable-TransportAgent*", "*New-TransportAgentConnector*", "*Set-TransportAgent*")
)Detects Exchange transport agent persistence via three patterns: (1) DLL writes to Exchange transport directories from non-installer processes, (2) OS command execution spawned directly from EdgeTransport.exe or MSExchangeTransport.exe, and (3) PowerShell cmdlets used to install or enable transport agents. Covers LightNeuron-style implant deployment and post-install execution chains.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Exchange Cumulative Update (CU) or Security Update installations dropping DLLs to transport directories — exsetup.exe is excluded but custom wrapper scripts may trigger this
- Third-party Exchange transport agents from anti-spam or DLP vendors (e.g., Trend Micro ScanMail for Exchange, Proofpoint Email Protection) that register their own DLLs and run Install-TransportAgent during initial setup
- Exchange hybrid connector configuration or migration tooling that programmatically installs transport agents using PowerShell automation under a service account
Other platforms for T1505.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Installed Transport Agents (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.
- Test 2Simulate Transport Agent DLL Drop (File Write Test)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.
- Test 3Check Exchange Admin Audit Log for Transport Agent Commands
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.
References (4)
Unlock Pro Content
Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.