Classification:

attack

Tactic:

TA0003-persistence

Technique:

T1546-event-triggered-execution

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detects suspicious child process execution from Exchange Transport Service that may indicate WMI backdoor persistence mechanisms.

Strategy

This rule monitors Windows process creation events where @evt.id is 4688 when the parent process @Event.EventData.Data.ParentProcessName is EdgeTransport.exe and excludes some legitimate child processes. The Exchange Transport Service typically has a limited set of legitimate child processes for normal mail flow operations. Attackers who compromise Exchange servers often establish persistence through WMI event subscriptions or transport agent modifications that cause the transport service to spawn additional processes for backdoor access or malicious code execution.

Triage and response

• Examine the specific child process spawned by EdgeTransport.exe on {{host}} to determine if it represents legitimate Exchange functionality or malicious activity.
• Review Exchange transport agent configurations and WMI event subscriptions to identify any unauthorized modifications or suspicious entries.
• Check Exchange server logs around the time of process creation for any transport agent loading events or configuration changes.
• Analyze the command-line arguments and process behavior of the spawned child process to understand its intended functionality.
• Verify if recent Exchange server maintenance, updates, or administrative changes could account for the unusual process execution pattern.