Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by new accounts.
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Windows Security Events |
| ID | 8afd1086-fc9a-4d26-b3ff-5c794c79a59a |
| Tactics | Collection |
| Techniques | T1119 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
EventID == "4688" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊