Esc
Transport Agent - T1505.002
(ATT&CK® Technique)
Definition
Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails. Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1505002["Transport Agent"] --> |modifies| MailServer["Mail Server"]; class T1505002 OffensiveTechniqueNode;
class MailServer ArtifactNode; click MailServer href "/dao/artifact/d3f:MailServer";
click T1505002 href "/offensive-technique/attack/T1505.002/"; click MailServer href "/dao/artifact/d3f:MailServer"; T1505002["Transport Agent"] --> |adds| MessageTransferAgent["Message Transfer Agent"]; class T1505002 OffensiveTechniqueNode;
class MessageTransferAgent ArtifactNode; click MessageTransferAgent href "/dao/artifact/d3f:MessageTransferAgent";
click T1505002 href "/offensive-technique/attack/T1505.002/"; click MessageTransferAgent href "/dao/artifact/d3f:MessageTransferAgent"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.->
| may-detect | T1505002["Transport Agent"] ;
class ProcessSelf-ModificationDetection DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; ProcessSpawnAnalysis["Process Spawn Analysis"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
ProcessSpawnAnalysis["Process Spawn Analysis"] -.->
| may-detect | T1505002["Transport Agent"] ;
class ProcessSpawnAnalysis DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
Kernel-basedProcessIsolation["Kernel-based Process Isolation"] -.->
| may-isolate | T1505002["Transport Agent"] ;
class Kernel-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Kernel-basedProcessIsolation href "/technique/d3f:Kernel-basedProcessIsolation"; Application-basedProcessIsolation["Application-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
Application-basedProcessIsolation["Application-based Process Isolation"] -.->
| may-isolate | T1505002["Transport Agent"] ;
class Application-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Application-basedProcessIsolation href "/technique/d3f:Application-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.->
| may-isolate | T1505002["Transport Agent"] ;
class Hardware-basedProcessIsolation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; RestoreNetworkAccess["Restore Network Access"] -->
| restores | MailServer["Mail Server"];
RestoreNetworkAccess["Restore Network Access"] -.->
| may-restore | T1505002["Transport Agent"] ;
class RestoreNetworkAccess DefensiveTechniqueNode;
class MailServer ArtifactNode;
click RestoreNetworkAccess href "/technique/d3f:RestoreNetworkAccess"; ProcessSuspension["Process Suspension"] -->
| suspends | MessageTransferAgent["Message Transfer Agent"];
ProcessSuspension["Process Suspension"] -.->
| may-evict | T1505002["Transport Agent"] ;
class ProcessSuspension DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessSuspension href "/technique/d3f:ProcessSuspension"; HostShutdown["Host Shutdown"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
HostShutdown["Host Shutdown"] -.->
| may-evict | T1505002["Transport Agent"] ;
class HostShutdown DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click HostShutdown href "/technique/d3f:HostShutdown"; ProcessTermination["Process Termination"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
ProcessTermination["Process Termination"] -.->
| may-evict | T1505002["Transport Agent"] ;
class ProcessTermination DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessTermination href "/technique/d3f:ProcessTermination"; SystemCallFiltering["System Call Filtering"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1505002["Transport Agent"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ProcessLineageAnalysis["Process Lineage Analysis"] -->
| analyzes | MessageTransferAgent["Message Transfer Agent"];
ProcessLineageAnalysis["Process Lineage Analysis"] -.->
| may-detect | T1505002["Transport Agent"] ;
class ProcessLineageAnalysis DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; EndpointHealthBeacon["Endpoint Health Beacon"] -->
| monitors | MailServer["Mail Server"];
EndpointHealthBeacon["Endpoint Health Beacon"] -.->
| may-detect | T1505002["Transport Agent"] ;
class EndpointHealthBeacon DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EndpointHealthBeacon href "/technique/d3f:EndpointHealthBeacon"; WebSessionAccessMediation["Web Session Access Mediation"] -->
| isolates | MessageTransferAgent["Message Transfer Agent"];
WebSessionAccessMediation["Web Session Access Mediation"] -.->
| may-isolate | T1505002["Transport Agent"] ;
class WebSessionAccessMediation DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click WebSessionAccessMediation href "/technique/d3f:WebSessionAccessMediation"; EmailRemoval["Email Removal"] -->
| may-access | MailServer["Mail Server"];
EmailRemoval["Email Removal"] -.->
| may-evict | T1505002["Transport Agent"] ;
class EmailRemoval DefensiveTechniqueNode;
class MailServer ArtifactNode;
click EmailRemoval href "/technique/d3f:EmailRemoval"; HostReboot["Host Reboot"] -->
| terminates | MessageTransferAgent["Message Transfer Agent"];
HostReboot["Host Reboot"] -.->
| may-evict | T1505002["Transport Agent"] ;
class HostReboot DefensiveTechniqueNode;
class MessageTransferAgent ArtifactNode;
click HostReboot href "/technique/d3f:HostReboot";