NT AUTHORITY\SYSTEM ‎(powershell)‎, New-MailboxExportRequest

Sajid Azeem 1 Reputation point
2023-03-06T09:13:01.29+00:00

Hi Community,

I have an exch of 2016 Cu22 and Cu23. All are patched with the latest patches on both CU updates. but recently I have seen a mailbox export request visible on my EAC notification bells. I check and surprise. some exploits RAN a command on the power shell to get a pst file. how I protect it. mitigations also applied. but the power shell still running. why and how to become more secure.

User:
NT AUTHORITY\SYSTEM ‎(powershell)‎

Object modified:
DB#979badcf-b2d0-4679-b96a-e88dc28582e3\87df17eb-24e4-4f3d-8343-45227c43db85

Cmdlet:
New-MailboxExportRequest

Parameters (Parameter:Value)

Members: Mailbox,ContentFilter,FilePath
Mailbox:test ContentFilter: ‎(Received -gt ‎'10/1/2022 00:00‎')‎ -and ‎(Received -lt ‎'3/6/2023 22:00‎')‎, FilePath: \127.0.0.1\c$\windows\help\test.pst

this command not run with any body inside. it exort the mailbox pst and get it.

Please help me to resolve the issue.

Exchange Server
Exchange Server
A family of Microsoft client/server messaging and collaboration software.
1,173 questions
Microsoft Exchange Online Management
Microsoft Exchange Online Management
Microsoft Exchange Online: A Microsoft email and calendaring hosted service.Management: The act or process of organizing, handling, directing or controlling something.
4,350 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,468 questions
Microsoft Exchange
Microsoft Exchange
Microsoft messaging and collaboration software.
446 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jarvis Sun-MSFT 10,181 Reputation points Microsoft Vendor
    2023-03-07T08:43:11.1733333+00:00

    Hi @Sajid Azeem ,

     

    For your current situation, below are some suggestions for reference:

     

    1. I can understand that you’ve already patched your Exchange servers with the latest updates, but it’s still suggested to run the HealthChecker script which can double check if any updates are missing and help detect specific vulnerabilities in the exchange server.

     

    1. Simply download Microsoft Safety Scanner and run a scan to find malware and try to reverse changes made by identified threats.
    2. Keep antivirus and other protections enabled.
      It’s critical to protect Exchange servers with antivirus software and other security solutions like firewall protection and MFA. And you can check if the antivirus programs running in your environment has any potentially relevant findings about the issue you described.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". 

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments
  2. Sajid Azeem 1 Reputation point
    2023-03-07T10:04:43.17+00:00

    Hi Jarvis Sun-MSFT,

    Thanks for your support. I have updated all my windows and exchanged the latest 2016 cu23 Feb update. but this PowerShell command is executed through IIS. I need to know the extended protection procedure which we take and secure our environment. I have already run the msrt exe and nothing find any malware. but the intrusion still exists. if you please help me with the procedure to secure the Exch 2016 cu23 latest se

    Regards

    Sajid Azeem