DET0166 Detection Strategy for T1505.002 - Transport Agent Abuse (Windows/Linux)
| Item |
Value |
| ID |
DET0166 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1505.002 (Transport Agent)
Analytics
Windows
AN0472
Adversary registers a malicious Microsoft Exchange transport agent DLL (.NET assembly), configures it via PowerShell or Exchange Management Shell, and persists code execution by manipulating email processing logic based on rules or headers.
Log Sources
Mutable Elements
| Field |
Description |
| TimeWindow |
May need tuning based on frequency of Exchange agent updates in environment. |
| AssemblyPath |
Specific DLL paths used by Exchange for registered agents may vary between deployments. |
| CmdletInvocationThreshold |
Tunable threshold for repeated use of transport agent management cmdlets. |
Linux
AN0473
Adversary installs or modifies email content filters or transport scripts (e.g., Postfix milter, Sendmail milter, Exim filters) using shell access or configuration manipulation.
Log Sources
Mutable Elements
| Field |
Description |
| MailTransportScriptPath |
Path to custom scripts or filters depends on mail daemon (e.g., /etc/postfix/milter/, /etc/exim4/). |
| UserContext |
Mail agents may run under different service users (postfix, exim, etc.), which should be scoped. |
| ExecFrequencyThreshold |
Frequency of filter script re-execution per daemon restart or reload may vary. |