Exchange Set OabVirtualDirectory ExternalUrl Property

Title: Exchange Set OabVirtualDirectory ExternalUrl Property
Status: test
Description:Rule to detect an adversary setting OabVirtualDirectory External URL property to a script in Exchange Management log
References:
  -https://twitter.com/OTR_Community/status/1371053369071132675
Author: Jose Rodriguez @Cyb3rPandaH
Date: 2021-03-15
modified:2023-01-23
Tags:

• -'attack.persistence'
• -'attack.t1505.003'

Logsource:

• product: windows
• service: msexchange-management

Detection:
  keywords:
    |all:
      -'Set-OabVirtualDirectory'
      -'ExternalUrl'
      -'Page_Load'
      -'script'

  condition:keywords
Falsepositives:
  -Unknown
Level: high