Rule Category

SERVER-MAIL -- Snort has detected traffic exploiting vulnerabilities in mail servers (such as Exchange, Courrier). These are different from protocol traffic, as this deals with the traffic going to the mail server itself.

Alert Message

SERVER-MAIL Microsoft Exchange Server arbitrary file write attempt

Rule Explanation

This rule is looking for post-authentication file write attempts using the Microsoft Exchange server Set-OabVirtualDirectory commands.

What To Look For

This rule fires on post-authentication exploit traffic.

Known Usage

No public information

False Positives

No known false positives

Contributors

Cisco Talos Intelligence Group

MITRE ATT&CK Framework

Tactic: Execution

Technique: Execution through API

For reference, see the MITRE ATT&CK vulnerability types here: https://attack.mitre.org

Additional Links

Rule Vulnerability

Escalation of Privilege

An Escalation of Privilege (EOP) attack is any attack method that results in a user or application gaining permissions to access resources they normally would not have access to.

CVE Additional Information