T1505.002 Microsoft Sentinel · KQL

Detect Transport Agent in Microsoft Sentinel

Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.

MITRE ATT&CK

Tactic
Persistence
Technique
T1505 Server Software Component
Sub-technique
T1505.002 Transport Agent
Canonical reference
https://attack.mitre.org/techniques/T1505/002/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1505.002 — Exchange Transport Agent persistence detection
// Transport agents are .NET DLLs registered in Exchange configuration
// Part 1: Detect new DLL drops in Exchange transport agent directories
let ExchangeAgentDrop = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| where FolderPath has_any (
    "\\Microsoft\\Exchange Server\\",
    "\\Exchange Server\\",
    "\\v15\\Bin\\",
    "\\TransportRoles\\",
    "\\FrontEnd\\TransportAgent\\"
  )
| where FileName endswith ".dll"
| where InitiatingProcessFileName !in~ ("exsetup.exe", "updateexchangesetup.exe",
                                         "ExchangeSetup.exe", "msiexec.exe", "setup.exe")
| extend DetectionType = "Exchange_Transport_DLL_Write"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 2: Detect Exchange transport pipeline process spawning OS commands
let ExchangeChildProc = DeviceProcessEvents
| where Timestamp > ago(24h)
| where InitiatingProcessFileName in~ ("EdgeTransport.exe", "MSExchangeTransport.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe",
                      "certutil.exe", "bitsadmin.exe", "mshta.exe", "rundll32.exe", "net.exe")
| extend DetectionType = "Exchange_Transport_OS_Command"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
// Part 3: Detect Install-TransportAgent or New-TransportAgentConnector PowerShell commands
let ExchangeAgentPS = DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Install-TransportAgent", "Enable-TransportAgent",
                                    "New-TransportAgentConnector", "Set-TransportAgent")
| extend DetectionType = "Exchange_Transport_Agent_Install"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine, DetectionType;
union ExchangeAgentDrop, ExchangeChildProc, ExchangeAgentPS
| sort by Timestamp desc
critical severity high confidence

Three-part detection for Exchange Transport Agent persistence. Part 1 monitors for DLL file writes to Exchange transport directories from non-setup processes. Part 2 detects Exchange transport processes (EdgeTransport.exe, MSExchangeTransport.exe) spawning OS utilities, indicating a malicious agent executing commands. Part 3 catches PowerShell cmdlets used to install or enable transport agents (Install-TransportAgent, Enable-TransportAgent).

Data Sources

File: File CreationProcess: Process CreationMicrosoft Defender for Endpoint

Required Tables

DeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Legitimate Exchange transport agent installations for anti-spam, DLP, or email archiving solutions (Mimecast, Proofpoint, Microsoft journaling agents)
  • Exchange cumulative update installation writing DLLs to Exchange directories
  • IT administrators deploying custom transport agents for compliance journaling or email routing
  • Third-party email security products that register as transport agents
Download portable Sigma rule (.yml)

Other platforms for T1505.002

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1List Installed Transport Agents (Detection Audit)

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.

  2. Test 2Simulate Transport Agent DLL Drop (File Write Test)

    Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.

  3. Test 3Check Exchange Admin Audit Log for Transport Agent Commands

    Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.

Last updated: 2026-04-19 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1505Server Software Component

Related Sub-techniques

T1505.001SQL Stored ProceduresT1505.003Web ShellT1505.004IIS ComponentsT1505.005Terminal Services DLLT1505.006vSphere Installation Bundles

Related Techniques

T1505Server Software ComponentT1505.003Web ShellT1114.002Remote Email CollectionT1071.003Mail ProtocolsT1027.001Binary PaddingT1078Valid Accounts

Same Tactic: Persistence

Popular Detections