Exchange PowerShell Snap-Ins Usage
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects the use of Exchange PowerShell snap-ins such as Microsoft.Exchange.PowerShell.SnapIn and Microsoft.Exchange.Management.PowerShell.SnapIn, which are commonly employed by threat actors to export mailbox data.
Severity
Trouble
Rule journey
Attack chain scenario
Execution → Collection
- Execution: Command and Scripting Interpreter – PowerShell (T1059.001)
- Collection: Email Collection (T1114)
Impact
Potential unauthorized access and exfiltration of mailbox data leading to data breaches and loss of sensitive information.
Rule Requirement
Prerequisites
Using Windows Event Viewer
- Log in to a domain controller with domain admin credentials.
- Open the Group Policy Management Console by typing gpmc.msc in the Run dialog.
- Create a new GPO or edit an existing one linked to the appropriate OU.
- Navigate to:
Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking - Right-click on "Audit Process Creation" and select Properties.
- Select "Configure the following audit events" and check the "Success" box, then click OK.
- Right-click on "Audit Process Termination" and select Properties.
- Select "Configure the following audit events" and check the "Success" box, then click OK.
- For enhanced process tracking with command line information, navigate to:
Computer Configuration > Administrative Templates > System > Audit Process Creation - Double-click on "Include command line in process creation events", select "Enabled", and click OK.
- Create a new registry key at the path:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Security-Auditing\Operational
Using Sysmon
- Download and install Sysmon from Microsoft Sysinternals.
- Open a Command Prompt with administrator privileges.
- Create or download a Sysmon configuration file that includes process creation monitoring.
- Install Sysmon using the command:
sysmon.exe -i configfile.xml - In the configuration file, include the following to monitor all process creations:
<Sysmon>
<EventFiltering>
<ProcessCreate onmatch="exclude"/>
</EventFiltering>
</Sysmon> - If not already created, make a new registry key at:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Microsoft-Windows-Sysmon\Operational
Criteria
Action1: actionname = "Process started" AND ((PROCESSNAME endswith "\powershell.exe,\pwsh.exe" OR ORIGINALFILENAME = "PowerShell.EXE,pwsh.dll") AND COMMANDLINE contains "Add-PSSnapin" AND COMMANDLINE contains "Microsoft.Exchange.Powershell.Snapin,Microsoft.Exchange.Management.PowerShell.SnapIn") AND (PARENTPROCESSNAME != "C:\Windows\System32\msiexec.exe" OR COMMANDLINE notcontains "$exserver=Get-ExchangeServer ([Environment]::MachineName) -ErrorVariable exerr 2> $null") select Action1.HOSTNAME,Action1.MESSAGE,Action1.COMMANDLINE,Action1.FILE_NAME,Action1.PROCESSNAME,Action1.USERNAME,Action1.PARENTPROCESSNAME
Detection
Execution Mode
realtime
Log Sources
Windows
MITRE ATT&CK
- T1059.001: Command and Scripting Interpreter – PowerShell
- T1114: Email Collection
Security Standards
- Use antivirus/antimalware solutions for detection and quarantine
- Enforce PowerShell execution policies to allow only signed scripts
- Disable or restrict PowerShell and WinRM where not needed
- Apply application control and constrained language modes
- Enforce privileged account management and multi-factor authentication
- Audit mailbox forwarding and export rules
- Encrypt sensitive email data and use out-of-band verification for critical actions
Author
FPT.EagleEye, Nasreddine Bencherchali (Nextron Systems)
Future actions
Known False Positives
None documented
Next Steps
- Investigate and verify PowerShell snap-in activity for legitimacy
- Continuously monitor mailbox export and forwarding configurations
- Strengthen PowerShell and account security policies
- Educate administrators on secure usage of Exchange PowerShell
Mitigation
Mitigation ID | Name | Description |
M1049 | Antivirus/Antimalware | Use antivirus solutions to automatically detect, quarantine, and block malicious scripts or suspicious files related to Exchange snap-ins usage. |
M1045 | Code Signing | Enforce PowerShell execution policy to allow only signed scripts, reducing risk of unauthorized or malicious script execution. |
M1042 | Disable or Remove Feature | Consider restricting or disabling PowerShell where not necessary. Disable/restrict WinRM service to reduce remote PowerShell attack surface. |
M1038 | Execution Prevention | Apply application control measures such as AppLocker and enable PowerShell Constrained Language Mode to restrict dangerous PowerShell commands. |
M1026 | Privileged Account Management | Limit execution of PowerShell commands to administrators and apply Just Enough Administration (JEA) to reduce exposure. |
M1047 | Audit | Regularly audit mailbox rules and mailbox export actions using Exchange admin tools like Get-InboxRule to detect suspicious forwarding or data export configurations. |
M1041 | Encrypt Sensitive Information | Enable encryption for emails and sensitive information to protect against data interception or exfiltration. |
M1032 | Multi-factor Authentication | Implement multi-factor authentication on all public-facing services including webmail to reduce the risk of unauthorized access. |
M1060 | Out-of-Band Communications Channel | Use out-of-band verification for critical email actions like password resets or financial transactions to prevent compromise via email account control. |
