| ID | Name |
|---|---|
| ATAGS-T1074.001 | IIS Components |
| ATAGS-T1074.002 | SQL Stored Procedures |
| ATAGS-T1074.003 | Terminal Services DLL |
| ATAGS-T1074.004 | Transport Agent |
| ATAGS-T1074.005 | vSphere Installation Bundles |
| ATAGS-T1074.006 | Web Shell |
Threat Actors may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.