T1505.002 CrowdStrike LogScale · LogScale

Detect Transport Agent in CrowdStrike LogScale

Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.002 Transport Agent
Canonical reference
https://attack.mitre.org/techniques/T1505/002/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2|FileWritten)$/
| case {
    #event_simpleName = "FileWritten"
      FilePath = /(?i)(\\Microsoft\\Exchange Server\\|\\Exchange Server\\|\\v15\\Bin\\|\\TransportRoles\\|\\FrontEnd\\TransportAgent\\)/
      FileName = /(?i)\.dll$/
      ImageFileName != /(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe$/
      | detection_type := "Exchange_Transport_DLL_Drop" ;
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
      ParentBaseFileName = /(?i)^(EdgeTransport|MSExchangeTransport)\.exe$/
      FileName = /(?i)^(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe$/
      | detection_type := "Exchange_Transport_OS_Command" ;
    #event_simpleName = /^(ProcessRollup2|SyntheticProcessRollup2)$/
      FileName = /(?i)^(powershell|pwsh)\.exe$/
      CommandLine = /(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)/
      | detection_type := "Transport_Agent_Install_Command" ;
  }
| groupBy(
    [ComputerName, UserName, detection_type, FileName, ParentBaseFileName],
    function=[
      collect([CommandLine, FilePath], limit=10),
      count(as=event_count)
    ]
  )
| sort(event_count, order=desc)
critical severity high confidence

CrowdStrike LogScale (Falcon Query Language) query over ProcessRollup2, SyntheticProcessRollup2, and FileWritten events to detect Exchange transport agent persistence. Uses case branching to classify events into three detection types: DLL staging to Exchange transport paths, OS command execution from Exchange transport parent processes, and PowerShell transport agent installation commands. Groups by host and detection type to surface repeated activity and reduce noise from high-volume endpoints.

Data Sources

CrowdStrike Falcon Sensor (Falcon Data Replicator or Event Search)LogScale Falcon Event Stream — ProcessRollup2, SyntheticProcessRollup2LogScale Falcon Event Stream — FileWritten

Required Tables

ProcessRollup2SyntheticProcessRollup2FileWritten

False Positives & Tuning

  • Exchange server monthly patching cycles where the Falcon sensor captures DLL writes from the Exchange CU installer using a wrapper or SCCM package that does not match the excluded installer process names exactly
  • CrowdStrike-managed detection exclusions for known Exchange transport agent vendors may not cover all legitimate products — security email gateway integrations writing agent DLLs during installation will trigger the FileWritten detection branch
  • Exchange Management Shell remoting sessions where an administrator runs Install-TransportAgent interactively or via a runbook — CommandLine will contain the cmdlet name identically to a malicious invocation without additional context from the calling session
Download portable Sigma rule (.yml)

Other platforms for T1505.002

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Installed Transport Agents (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.

  2. Test 2Simulate Transport Agent DLL Drop (File Write Test)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.

  3. Test 3Check Exchange Admin Audit Log for Transport Agent Commands

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.

Last updated: 2026-04-19 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1114.002Remote Email CollectionT1071.003Mail ProtocolsT1027.001Binary PaddingT1078Valid Accounts

Same Tactic: Persistence

Popular Detections