The detection identifies when an adversary loads a PowerShell snap-in, which may indicate the use of PowerShell for persistence or command and control. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise and mitigate lateral movement risks.
KQL Query
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where ProcessCommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin"
id: f87ae1b7-ecd1-418f-bb2a-68b4a7658677
name: exchange-powershell-snapin-loaded
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query finds evidence of an Exchange PowerShell snap-in being loaded. This can indicate an attempt to exfiltrate data.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Exfiltration
query: |
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
| where ProcessCommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin"
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using PowerShell to load the Exchange Management Shell as part of routine administrative tasks.
Filter/Exclusion: Check for the presence of Microsoft.Exchange.Management.PowerShell.E2010 in the ModuleName field, or filter by user accounts with administrative privileges (e.g., UserPrincipalName containing [email protected]).
Scenario: A scheduled job is configured to run a PowerShell script that loads the Exchange snap-in to perform automated mailbox backups or reporting.
Filter/Exclusion: Filter by ProcessName containing schtasks.exe or Task Scheduler job names, and exclude known backup or reporting scripts.
Scenario: A third-party tool such as Quest Software’s Quest PowerShell Tools or EMC PowerGUI is used to manage Exchange environments, which may load the Exchange snap-in as part of its functionality.
Filter/Exclusion: Include ProcessName or Module fields that match known third-party tools, or check for the presence of tool-specific registry keys or configuration files.
Scenario: A Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) task is running a PowerShell script that interacts with Exchange for patch management or compliance reporting.
Filter/Exclusion: Filter by ProcessName such as wusa.exe, ccmexec.exe, or msiexec.exe, or check for task names associated with WSUS or SCCM.
Scenario: An Exchange Online (EOP) hybrid environment is being managed using Exchange Online PowerShell via the Microsoft Online Services Sign-in Assistant, which may load the Exchange snap-in during connection.
Filter/Exclusion: Filter by ProcessName containing powershell.exe and check for the presence of `ExchangeOnlineManagement