Purpose: To protect against suspected reconnaissance and exfiltration behavior.

Description: Protect against reconnaissance and exfiltration of files.

Enabled by Default: No
Platform: Windows
Minimum Agent Version Required: 8.0.0

Adversaries may leverage Exchange PowerShell cmdlets and commands to access, read, and/or exfiltrate sensitive information, such as emails. This rapid config will focus on those behaviors, starting with rules targeting Exchange recon, discovery, and exfiltration, as observed in Sunburst post-exploitation behaviors. An adversary may attempt to enumerate users and roles on Exchange servers to assess permissions, query configured Virtual Directory information, exfiltrate mailboxes via mailbox exports and archiving tools.

The Edit Rapid Config page for the Reconnaissance and Exfiltration Protection Rapid config

How can Carbon Black App Control help?

The Reconnaissance and Exfiltration Rapid Config can be enabled to report or block zip tool command lines that can be used for exfiltration. You can also leverage this Rapid Config to monitor suspicious command lines that focus on the reconnaissance, discovery, exfiltration, and cleanup associated with Exchange PowerShell cmdlets. This rapid config will be updated as tactics emerge and evolve.

Rapid Config Settings

As with most rapid configs, you can:

  • Enable or disable the rapid config.

  • Specify what policies the rapid config applies to.

In addition, you can choose to Do Nothing, Report, or Block the specific items or behaviors.

Note: RECOMMENDATION: We recommend setting each section to Report prior to setting to Block. Use the resulting events to ensure that legitimate behavior will not be impacted.

For each of the following sections, specify what action you require.

Suspicious Microsoft Exchange Reconnaissance and Exfiltration Command Lines

This groups protects against specific techniques used in affiliation with MS exchange reconnaissance and exfiltration. These techniques were seen in the SolarWinds breach. When enabled, this rule reports or blocks the use of common zipping tools such as 7z.exe, WinRar, and PowerShell in relation to .ost or .pst files, which could indicate archiving email files for exfiltration.

The Suspicious Microsoft Exchange reconnaissance and exfiltration command lines settings for the Reconnaissance and Exfiltration Protection Rapid config

Report Or Block Execution Of Zip Tools With Suspicious Command Lines:
Should execution of zip tools with suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
When enabled, this set of command lines allows you to report or block, with a focus on the reconnaissance, discovery, exfiltration, and cleanup associated with Exchange PowerShell cmdlets and adfind Active Directory dumping. These behaviors were observed in Sunburst post-exploitation behaviors, but are not unique to the SolarWinds breach.
Depending on your environment, some of these commands may be run more frequently. Our recommendation is that since these cmdlets can both be used by attackers and Exchange Server IT admins, we would suggest Report Only first to assess baseline and possible noisiness.
Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following are listed:
  • <cmdline:*.ost*>7z.exe
  • <cmdline:*.pst*>7z.exe
  • <cmdline:*.ost*>Rar.exe
  • <cmdline:*.pst*>Rar.exe
  • <cmdline:*.ost*>WinRAR.exe
 
  • <cmdline:*.pst*>WinRAR.exe
  • <cmdline:*.ost*>WzZip.exe
  • <cmdline:*.pst*>WzZip.exe
  • <cmdline:*compress-archive*.ost*>powershell.exe
  • <cmdline:*compress-archive*.pst*>powershell.exe
Command Lines That Should Not Be Reported:
Execution of command lines specified here will not be reported or blocked.
 
*Report Or Block Executions With Suspicious Command Lines:
Should execution of these suspicious command lines be reported or blocked? You should validate that legitimate execution is not blocked before enabling blocking.
Command Lines To Report:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list. By default, the following are listed:
  • <CmdLineAnyArgument:Get-WebServicesVirtualDirectory>*
  • <CmdLineAnyArgument:Remove-MailboxExportRequest>*
  • <CmdLineAnyArgument:Get-OrganizationConfig>*
  • <CmdLineAnyArgument:Get-ManagementRoleAssignment>*
  • <CmdLineAnyArgument:New-MailboxExportRequest>*
  • <CmdLine:*Set-CASMailbox -Identity * -ActiveSyncAllowedDeviceIDs*>*
  • <CmdLineArgumentName:-sc:exch*>*
  • <CmdLineArgumentName:/sc:exch*>*
Command Lines That Should Not Be Reported:
Carbon Black App Control will report or block execution of the specified command lines. You can add or remove items from this list.