T1505.002 Transport Agent Mappings

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1505.002 Transport Agent
AC-3 Access Enforcement Protects T1505.002 Transport Agent
AC-5 Separation of Duties Protects T1505.002 Transport Agent
AC-6 Least Privilege Protects T1505.002 Transport Agent
CA-8 Penetration Testing Protects T1505.002 Transport Agent
CM-11 User-installed Software Protects T1505.002 Transport Agent
CM-2 Baseline Configuration Protects T1505.002 Transport Agent
CM-5 Access Restrictions for Change Protects T1505.002 Transport Agent
CM-6 Configuration Settings Protects T1505.002 Transport Agent
CM-8 System Component Inventory Protects T1505.002 Transport Agent
IA-2 Identification and Authentication (organizational Users) Protects T1505.002 Transport Agent
IA-9 Service Identification and Authentication Protects T1505.002 Transport Agent
RA-5 Vulnerability Monitoring and Scanning Protects T1505.002 Transport Agent
SA-10 Developer Configuration Management Protects T1505.002 Transport Agent
SA-11 Developer Testing and Evaluation Protects T1505.002 Transport Agent
SI-4 System Monitoring Protects T1505.002 Transport Agent
SI-7 Software, Firmware, and Information Integrity Protects T1505.002 Transport Agent
SR-11 Component Authenticity Protects T1505.002 Transport Agent
SR-4 Provenance Protects T1505.002 Transport Agent
SR-5 Acquisition Strategies, Tools, and Methods Protects T1505.002 Transport Agent
SR-6 Supplier Assessments and Reviews Protects T1505.002 Transport Agent
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1505.002 Server Software Component: Transport Agent
action.hacking.variety.Use of backdoor or C2 Use of Backdoor or C2 channel related-to T1505.002 Server Software Component: Transport Agent
action.hacking.vector.Backdoor or C2 Backdoor or command and control channel related-to T1505.002 Server Software Component: Transport Agent
action.malware.variety.Backdoor Backdoor (enable remote access). Child of 'RAT' when combined with 'Trojan' related-to T1505.002 Server Software Component: Transport Agent