The detection identifies potential exchange enumeration or hijacking activities associated with APT 15, indicating reconnaissance or lateral movement tactics. SOC teams should proactively hunt for this behavior to detect early-stage APT 15 activity and prevent further compromise within their Azure Sentinel environment.
YARA Rule
rule malware_apt15_exchange_tool {
meta:
author = "Ahmed Zaki"
md5 = "d21a7e349e796064ce10f2f6ede31c71"
description = "This is a an exchange enumeration/hijacking tool used by an APT 15"
reference = "https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
strings:
$s1= "subjectname" fullword
$s2= "sendername" fullword
$s3= "WebCredentials" fullword
$s4= "ExchangeVersion" fullword
$s5= "ExchangeCredentials" fullword
$s6= "slfilename" fullword
$s7= "EnumMail" fullword
$s8= "EnumFolder" fullword
$s9= "set_Credentials" fullword
$s10 = "/de" wide
$s11 = "/sn" wide
$s12 = "/sbn" wide
$s13 = "/list" wide
$s14 = "/enum" wide
$s15 = "/save" wide
$s16 = "/ao" wide
$s17 = "/sl" wide
$s18 = "/v or /t is null" wide
$s19 = "2007" wide
$s20 = "2010" wide
$s21 = "2010sp1" wide
$s22 = "2010sp2" wide
$s23 = "2013" wide
$s24 = "2013sp1" wide
condition:
uint16(0) == 0x5A4D and 15 of ($s*)
}This YARA rule can be deployed in the following contexts:
This rule contains 24 string patterns in its detection logic.
Scenario: A system administrator is performing a scheduled mailbox backup using Microsoft Exchange Online Backup Tools
Filter/Exclusion: Check for process.name containing “ExchangeBackup” or “Backup” and verify the user is a member of the “Exchange Admins” group.
Scenario: An IT staff member is using PowerShell to run a legitimate Exchange Management Shell (EMS) script to configure mailbox permissions
Filter/Exclusion: Filter by process.name containing “powershell.exe” and check for the presence of “Exchange Management Shell” in the command line or script name.
Scenario: A user is running a scheduled job via Task Scheduler to export mailbox data for compliance purposes using Export-Mailbox cmdlet
Filter/Exclusion: Use task.name or task.description to identify known compliance or audit tasks, and check for the presence of “Export-Mailbox” in the command line.
Scenario: A developer is testing Exchange Web Services (EWS) API calls using a legitimate tool like EWS Managed API for integration purposes
Filter/Exclusion: Filter by process.name containing “EWSManagedAPI” or “Microsoft.Exchange.WebServices” and verify the user has a legitimate development role.
Scenario: A security team is performing a penetration test using Metasploit with a module that simulates Exchange enumeration (e.g., auxiliary/scanner/exchange/enum)
Filter/Exclusion: Check for process.name containing “msfconsole” or “Metasploit” and ensure the activity is part of an authorized security assessment.