Microsoft Exchange Server UM Writing Suspicious Files
Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity
11has been observed exploiting CVE-2021-26858.
12"""
13false_positives = [
14 """
15 Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
16 """,
17 """
18 This rule was tuned using the following baseline:
19 https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from
20 Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to
21 help determine normalcy.
22 """,
23]
24from = "now-9m"
25index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
26language = "eql"
27license = "Elastic License v2"
28name = "Microsoft Exchange Server UM Writing Suspicious Files"
29note = """## Triage and analysis
30
31Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).
32
33Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems
34from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support
35[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
36"""
37references = [
38 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
39 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
40]
41risk_score = 47
42rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
43setup = """## Setup
44
45If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
46events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
47Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
48`event.ingested` to @timestamp.
49For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
50"""
51severity = "medium"
52tags = [
53 "Domain: Endpoint",
54 "OS: Windows",
55 "Use Case: Threat Detection",
56 "Tactic: Initial Access",
57 "Tactic: Lateral Movement",
58 "Data Source: Elastic Endgame",
59 "Use Case: Vulnerability",
60 "Data Source: Elastic Defend",
61 "Data Source: Sysmon",
62]
63timestamp_override = "event.ingested"
64type = "eql"
65
66query = '''
67file where host.os.type == "windows" and event.type == "creation" and
68 process.name : ("UMWorkerProcess.exe", "umservice.exe") and
69 file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
70 (
71 file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
72
73 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
74 not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
75 file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
76 "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
77
78 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
79 not file.name : "TimeoutLogoff.aspx")
80 )
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1190"
88name = "Exploit Public-Facing Application"
89reference = "https://attack.mitre.org/techniques/T1190/"
90
91
92[rule.threat.tactic]
93id = "TA0001"
94name = "Initial Access"
95reference = "https://attack.mitre.org/tactics/TA0001/"
96[[rule.threat]]
97framework = "MITRE ATT&CK"
98[[rule.threat.technique]]
99id = "T1210"
100name = "Exploitation of Remote Services"
101reference = "https://attack.mitre.org/techniques/T1210/"
102
103
104[rule.threat.tactic]
105id = "TA0008"
106name = "Lateral Movement"
107reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Positive hits can be checked against the established Microsoft baselines.
Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support repository
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Unusual File Modification by dns.exe
- First Time Seen Removable Device
- Lateral Movement via Startup Folder
- Microsoft Exchange Worker Spawning Suspicious Processes