Detect Transport Agent in IBM QRadar
Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.002 Transport Agent
- Canonical reference
- https://attack.mitre.org/techniques/T1505/002/
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
logsourcename(logsourceid) AS log_source,
"sourceip",
"destinationip",
username,
"hostname",
"Image" AS process_image,
"CommandLine" AS command_line,
"ParentImage" AS parent_image,
"TargetFilename" AS target_filename,
CASE
WHEN "EventID" = '11'
AND ("TargetFilename" ILIKE '%\\Exchange Server\\%'
OR "TargetFilename" ILIKE '%\\TransportRoles\\%'
OR "TargetFilename" ILIKE '%\\v15\\Bin\\%'
OR "TargetFilename" ILIKE '%\\FrontEnd\\TransportAgent\\%')
AND "TargetFilename" ILIKE '%.dll'
AND "Image" NOT ILIKE '%exsetup.exe'
AND "Image" NOT ILIKE '%updateexchangesetup.exe'
AND "Image" NOT ILIKE '%msiexec.exe'
AND "Image" NOT ILIKE '%setup.exe'
THEN 'Exchange_Transport_DLL_Drop'
WHEN "EventID" = '1'
AND ("ParentImage" ILIKE '%EdgeTransport.exe'
OR "ParentImage" ILIKE '%MSExchangeTransport.exe')
AND ("Image" ILIKE '%\\cmd.exe'
OR "Image" ILIKE '%\\powershell.exe'
OR "Image" ILIKE '%\\wscript.exe'
OR "Image" ILIKE '%\\cscript.exe'
OR "Image" ILIKE '%\\certutil.exe'
OR "Image" ILIKE '%\\bitsadmin.exe'
OR "Image" ILIKE '%\\mshta.exe'
OR "Image" ILIKE '%\\rundll32.exe'
OR "Image" ILIKE '%\\net.exe')
THEN 'Exchange_Transport_OS_Command'
WHEN "EventID" = '1'
AND ("Image" ILIKE '%\\powershell.exe'
OR "Image" ILIKE '%\\pwsh.exe')
AND ("CommandLine" ILIKE '%Install-TransportAgent%'
OR "CommandLine" ILIKE '%Enable-TransportAgent%'
OR "CommandLine" ILIKE '%New-TransportAgentConnector%'
OR "CommandLine" ILIKE '%Set-TransportAgent%')
THEN 'Transport_Agent_Install_Command'
ELSE NULL
END AS detection_type
FROM events
WHERE LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND devicetime > (NOW() - 86400000)
AND (
(
"EventID" = '11'
AND ("TargetFilename" ILIKE '%\\Exchange Server\\%' OR "TargetFilename" ILIKE '%\\TransportRoles\\%' OR "TargetFilename" ILIKE '%\\v15\\Bin\\%')
AND "TargetFilename" ILIKE '%.dll'
) OR (
"EventID" = '1'
AND ("ParentImage" ILIKE '%EdgeTransport.exe' OR "ParentImage" ILIKE '%MSExchangeTransport.exe')
) OR (
"EventID" = '1'
AND ("Image" ILIKE '%\\powershell.exe' OR "Image" ILIKE '%\\pwsh.exe')
AND ("CommandLine" ILIKE '%Install-TransportAgent%' OR "CommandLine" ILIKE '%Enable-TransportAgent%' OR "CommandLine" ILIKE '%New-TransportAgentConnector%' OR "CommandLine" ILIKE '%Set-TransportAgent%')
)
)
AND detection_type IS NOT NULL
ORDER BY devicetime DESCAQL query against QRadar SIEM correlating Sysmon EventID 1 (process creation) and EventID 11 (file creation) events to identify Exchange transport agent abuse. Detects DLL staging to Exchange transport paths, command interpreter spawning from Exchange transport processes, and PowerShell-based agent installation cmdlets. Requires Sysmon DSM mapped with custom properties for Image, CommandLine, ParentImage, and TargetFilename fields.
Data Sources
Required Tables
False Positives & Tuning
- Exchange server patching via automated deployment tools (SCCM, Ansible) that invoke setup wrappers not matching the excluded installer process names — custom wrapper scripts calling msiexec indirectly will appear as unsigned DLL writes
- Security scanning products (e.g., CrowdStrike Falcon sensor, Carbon Black) reading Exchange transport DLL paths during scheduled scans may generate EventID 11 entries for file access on some Sysmon configurations
- Exchange administrators legitimately registering approved third-party transport agents via remote PowerShell sessions — the Install-TransportAgent cmdlet is the expected installation mechanism for any transport agent
Other platforms for T1505.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Installed Transport Agents (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.
- Test 2Simulate Transport Agent DLL Drop (File Write Test)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.
- Test 3Check Exchange Admin Audit Log for Transport Agent Commands
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.
References (4)
Unlock Pro Content
Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.