Detect Transport Agent in Splunk
Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.002 Transport Agent
- Canonical reference
- https://attack.mitre.org/techniques/T1505/002/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| eval detection_type=case(
EventCode=11 AND
match(TargetFilename, "(?i)(\\\\Exchange Server|\\\\TransportRoles|\\\\v15\\\\Bin)") AND
match(TargetFilename, "(?i)\.dll$") AND
NOT match(Image, "(?i)(exsetup|updateexchangesetup|ExchangeSetup|msiexec|setup)\.exe"),
"Exchange_Transport_DLL_Drop",
EventCode=1 AND
match(ParentImage, "(?i)(EdgeTransport|MSExchangeTransport)\.exe") AND
match(Image, "(?i)(cmd|powershell|wscript|cscript|certutil|bitsadmin|mshta|rundll32|net)\.exe"),
"Exchange_Transport_OS_Command",
EventCode=1 AND
match(Image, "(?i)(powershell|pwsh)\.exe") AND
match(CommandLine, "(?i)(Install-TransportAgent|Enable-TransportAgent|New-TransportAgentConnector|Set-TransportAgent)"),
"Transport_Agent_Install_Command",
true(), null()
)
| where isnotnull(detection_type)
| table _time, host, User, detection_type, Image, CommandLine, TargetFilename, ParentImage
| sort - _timeDetects Exchange Transport Agent persistence via Sysmon. DLL drops to Exchange directories (EventCode 11) by non-setup processes are high-fidelity indicators of transport agent installation. Exchange transport processes spawning shells (EventCode 1) indicate active agent executing OS commands. PowerShell Install-TransportAgent and related cmdlets (EventCode 1) indicate administrative installation that should be validated against change records.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate anti-spam or DLP transport agent installations
- Exchange cumulative update deployments
- Compliance journaling agent installations by authorized IT staff
Other platforms for T1505.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Installed Transport Agents (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.
- Test 2Simulate Transport Agent DLL Drop (File Write Test)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.
- Test 3Check Exchange Admin Audit Log for Transport Agent Commands
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.
References (4)
Unlock Pro Content
Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.