Detect Transport Agent in Sumo Logic CSE
Adversaries abuse Microsoft Exchange transport agents to establish persistent access and intercept email traffic. Transport agents are .NET assemblies registered with Exchange that process all email passing through the transport pipeline. Turla's LightNeuron malware is the canonical example — registered as a transport agent on Exchange, it intercepted and exfiltrated email content and received commands via steganographic images in email attachments, achieving complete mailbox surveillance.
MITRE ATT&CK
- Tactic
- Persistence
- Technique
- T1505 Server Software Component
- Sub-technique
- T1505.002 Transport Agent
- Canonical reference
- https://attack.mitre.org/techniques/T1505/002/
Sumo Detection Query
(_sourceCategory=*windows*sysmon* OR _sourceCategory=*endpoint* OR _sourceCategory=*winevent*)
| parse "<EventID>*</EventID>" as event_id nodrop
| parse "<Image>*</Image>" as process_image nodrop
| parse "<CommandLine>*</CommandLine>" as command_line nodrop
| parse "<ParentImage>*</ParentImage>" as parent_image nodrop
| parse "<TargetFilename>*</TargetFilename>" as target_filename nodrop
| parse "<User>*</User>" as user nodrop
| parse "<Computer>*</Computer>" as computer nodrop
| where event_id in ("1", "11")
| where (
(event_id == "11"
and (target_filename matches "*\\Exchange Server\\*"
or target_filename matches "*\\TransportRoles\\*"
or target_filename matches "*\\v15\\Bin\\*"
or target_filename matches "*\\FrontEnd\\TransportAgent\\*")
and target_filename matches "*.dll"
and !(process_image matches "*exsetup.exe"
or process_image matches "*updateexchangesetup.exe"
or process_image matches "*ExchangeSetup.exe"
or process_image matches "*msiexec.exe"
or process_image matches "*setup.exe"))
or
(event_id == "1"
and (parent_image matches "*EdgeTransport.exe"
or parent_image matches "*MSExchangeTransport.exe")
and (process_image matches "*\\cmd.exe"
or process_image matches "*\\powershell.exe"
or process_image matches "*\\wscript.exe"
or process_image matches "*\\cscript.exe"
or process_image matches "*\\certutil.exe"
or process_image matches "*\\bitsadmin.exe"
or process_image matches "*\\mshta.exe"
or process_image matches "*\\rundll32.exe"
or process_image matches "*\\net.exe"))
or
(event_id == "1"
and (process_image matches "*\\powershell.exe"
or process_image matches "*\\pwsh.exe")
and (command_line matches "*Install-TransportAgent*"
or command_line matches "*Enable-TransportAgent*"
or command_line matches "*New-TransportAgentConnector*"
or command_line matches "*Set-TransportAgent*"))
)
| eval detection_type = if(event_id == "11"
and (target_filename matches "*\\Exchange Server\\*" or target_filename matches "*\\TransportRoles\\*" or target_filename matches "*\\v15\\Bin\\*")
and target_filename matches "*.dll",
"Exchange_Transport_DLL_Drop",
if(event_id == "1"
and (parent_image matches "*EdgeTransport.exe" or parent_image matches "*MSExchangeTransport.exe"),
"Exchange_Transport_OS_Command",
"Transport_Agent_Install_Command"))
| fields _messageTime, computer, user, detection_type, process_image, command_line, target_filename, parent_image
| sort by _messageTime descSumo Logic search against Sysmon operational logs parsed via XML field extraction. Identifies all three Exchange transport agent abuse patterns: DLL drops to transport paths (EventID 11), OS command interpreter spawning from Exchange transport service processes (EventID 1 with transport parent), and PowerShell agent management cmdlet execution (EventID 1 with Install/Enable-TransportAgent). Requires Sysmon XML event collection with the Sumo Logic Windows Event Log collector.
Data Sources
Required Tables
False Positives & Tuning
- Initial deployment of legitimate Exchange-integrated security products (anti-spam, email archiving, DLP) that use Install-TransportAgent during their setup wizard — these are indistinguishable from malicious installs without prior change-management context
- Exchange server in-place upgrade processes that may run exsetup variants not exactly matching the excluded names, or that invoke transport service restart causing EdgeTransport.exe to launch child processes for health checks
- Automated certificate renewal or TLS reconfiguration scripts invoked from Exchange transport service context that spawn PowerShell or cmd.exe for configuration tasks unrelated to agent installation
Other platforms for T1505.002
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1List Installed Transport Agents (Detection Audit)
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Get-TransportAgent'. Exchange admin audit log: Get-TransportAgent cmdlet execution.
- Test 2Simulate Transport Agent DLL Drop (File Write Test)
Expected signal: Sysmon EventCode 11: FileCreate with TargetFilename containing 'TransportRoles\agents\df00tech-test-agent.dll' and Image=powershell.exe.
- Test 3Check Exchange Admin Audit Log for Transport Agent Commands
Expected signal: Sysmon EventCode 1: powershell.exe with CommandLine containing 'Search-AdminAuditLog'. Exchange admin audit log query event.
References (4)
Unlock Pro Content
Get the full detection package for T1505.002 including response playbook, investigation guide, and atomic red team tests.