Skip to content
Atomic Red Team
atomics
T1505.002

T1505.002 - Server Software Component: Transport Agent

Description from ATT&CK (opens in a new tab)

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

Atomic Tests


Atomic Test #1 - Install MS Exchange Transport Agent Persistence

Install a Microsoft Exchange Transport Agent for persistence. This requires execution from an Exchange Client Access Server and the creation of a DLL with specific exports. Seen in use by Turla. More details- https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help (opens in a new tab)

Supported Platforms: Windows

auto_generated_guid: 43e92449-ff60-46e9-83a3-1a38089df94d

Inputs:

NameDescriptionTypeDefault Value
class_factoryClass factory of transport agent.stringMicrosoft.Exchange.Security.Interop.SecurityInteropAgentFactory
dll_pathPath of DLL to use as transport agent.pathc:\program files\microsoft\Exchange Server\v15\bin\Microsoft.Exchange.Security.Interop.dll
transport_agent_identityFriendly name of transport agent once installed.stringSecurity Interop Agent

Attack Commands: Run with powershell! Elevation Required (e.g. root or admin)

Install-TransportAgent -Name #{transport_agent_identity} -TransportAgentFactory #{class_factory} -AssemblyPath #{dll_path}
Enable-TransportAgent #{transport_agent_identity}
Get-TransportAgent | Format-List Name,Enabled

Cleanup Commands:

if(Get-Command "Get-TransportAgent" -ErrorAction Ignore){
  Disable-TransportAgent #{transport_agent_identity}
  Uninstall-TransportAgent #{transport_agent_identity}
  Get-TransportAgent
}

Dependencies: Run with powershell!

Description: Microsoft Exchange SnapIn must be installed
Check Prereq Commands:
Get-TransportAgent -TransportService FrontEnd
Get Prereq Commands:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn