Description
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.
Platforms
Mitigations (3)
Privileged Account ManagementM1026
Do not allow administrator accounts that have permissions to add component software on these services to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.
AuditM1047
Regularly check component software on critical services that adversaries may target for persistence to verify the integrity of the systems and identify if unexpected changes have been made.
Code SigningM1045
Ensure all application component binaries are signed by the correct application developers.
Associated Software (1)
| ID | Name | Type | Context |
|---|---|---|---|
| S0395 | LightNeuron | Malware | [LightNeuron](https://attack.mitre.org/software/S0395) has used a malicious Microsoft Exchange transport agent for persistence.(Citation: ESET LightNe... |
Related CWE Weaknesses
References
- Microsoft. (2016, June 1). Transport agents. Retrieved June 24, 2019.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
Frequently Asked Questions
What is T1505.002 (Transport Agent)?
T1505.002 is a MITRE ATT&CK technique named 'Transport Agent'. It belongs to the Persistence tactic(s). Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to...
How can T1505.002 be detected?
Detection of T1505.002 (Transport Agent) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1505.002?
There are 3 documented mitigations for T1505.002. Key mitigations include: Privileged Account Management, Audit, Code Signing.
Which threat groups use T1505.002?
While specific threat group attribution may vary, this technique has been observed in various real-world attacks. Check the MITRE ATT&CK website for the latest threat intelligence.