MSExchange CmdletLogs
2 events across 1 channel
| Event | Title | Channel | Sample |
|---|---|---|---|
| 1 | Event ID 1 | MSExchange Management | Y |
| 6 | Event ID 6 | MSExchange Management | Y |
Event ID 1
#Fields #
| Name | Description |
|---|---|
Data_0 | |
Binary |
Example Event #
{
"system": {
"provider": "MSExchange CmdletLogs",
"guid": "",
"event_source_name": "",
"event_id": 1,
"version": 0,
"level": 4,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-09 21:28:04.651531+00:00",
"event_record_id": 75,
"correlation": {
"ActivityID": "",
"RelatedActivityID": ""
},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "MSExchange Management",
"computer": "EX-DC01-2022.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "<string>Test-MAPIConnectivity</string>\n<string></string>\n<string>ludus.domain/Users/domainadmin</string>\n<string>S-1-5-21-1006758700-2167138679-1475694448-1105</string>\n<string>S-1-5-21-1006758700-2167138679-1475694448-1105</string>\n<string>Remote-ManagementShell-Unknown</string>\n<string>22448 w3wp#MSExchangePowerShellAppPool</string>\n<string></string>\n<string>84</string>\n<string>00:00:02.5624680</string>\n<string>View Entire Forest: 'False', Default Scope: 'ludus.domain', Configuration Domain Controller: 'EX-DC01-2022.ludus.domain', Preferred Global Catalog: 'EX-DC01-2022.ludus.domain', Preferred Domain Controllers: '{ EX-DC01-2022.ludus.domain }'</string>\n<string></string>\n<string></string>\n<string></string>\n<string></string>\n<string></string>\n<string></string>\n<string>False</string>\n<string></string>\n<string>0 objects execution has been proxied to remote server.</string>\n<string></string>\n<string></string>\n<string>1</string>\n<string>ActivityId: bb771fc4-f21a-4027-a89d-6d210ceb9885</string>\n<string>ServicePlan:;IsAdmin:True;</string>\n<string></string>\n<string>en-US</string>\n",
"Binary": ""
},
"message": ""
}
Event ID 6
#Fields #
| Name | Description |
|---|---|
Data |
Example Event #
{
"system": {
"provider": "MSExchange CmdletLogs",
"guid": "",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 2,
"task": 1,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2021-06-04T08:43:08.546589+00:00",
"event_record_id": 7187,
"correlation": {},
"execution": {
"process_id": 0,
"thread_id": 0
},
"channel": "MSExchange Management",
"computer": "exchange01.offsec.lan",
"security": {
"user_id": ""
}
},
"event_data": {
"Data": [
"Enable-TransportAgent",
"-Identity \"hack\"",
"offsec.lan/OFFSEC-COMPANY/Administrators/admmig",
"S-1-5-21-4230534742-2542757381-3142984815-1111",
"S-1-5-21-4230534742-2542757381-3142984815-1111",
"Remote-ManagementShell-Unknown",
"8372 w3wp#MSExchangePowerShellAppPool",
"",
"54",
"00:00:00.0700039",
"View Entire Forest: 'False', Default Scope: 'offsec.lan', Configuration Domain Controller: 'rootdc1.offsec.lan', Preferred Global Catalog: 'rootdc1.offsec.lan', Preferred Domain Controllers: '{ rootdc1.offsec.lan }'",
"System.ArgumentException: Transport agent \"hack\" isn't found.\r\nParameter name: Identity\r\n at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)\r\n at Microsoft.Exchange.Management.AgentTasks.AgentBaseTask.SetAgentEnabled(String identity, Boolean enabled)\r\n at Microsoft.Exchange.Management.AgentTasks.EnableTransportAgent.InternalProcessRecord()\r\n at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__91_1()\r\n at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)",
"5",
"",
"NonLocalizedException",
"",
"",
"False",
"",
"0 objects execution has been proxied to remote server.",
"",
"",
"0",
"ActivityId: 51b67026-685e-41b9-ad71-bc1e46db849b",
"ServicePlan:;IsAdmin:True;",
"",
"en-US"
]
},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx