Microsoft Exchange Server UM Writing Suspicious Files

  1[metadata]
  2creation_date = "2021/03/04"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic", "Austin Songer"]
  9description = """
 10Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity
 11has been observed exploiting CVE-2021-26858.
 12"""
 13false_positives = [
 14    """
 15    Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
 16    """,
 17    """
 18    This rule was tuned using the following baseline:
 19    https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from
 20    Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to
 21    help determine normalcy.
 22    """,
 23]
 24from = "now-9m"
 25index = [
 26    "winlogbeat-*",
 27    "logs-endpoint.events.file-*",
 28    "logs-windows.sysmon_operational-*",
 29    "endgame-*",
 30    "logs-m365_defender.event-*",
 31    "logs-sentinel_one_cloud_funnel.*",
 32]
 33language = "eql"
 34license = "Elastic License v2"
 35name = "Microsoft Exchange Server UM Writing Suspicious Files"
 36note = """## Triage and analysis
 37
 38Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).
 39
 40Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems
 41from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support
 42[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
 43"""
 44
 45setup = """## Setup
 46
 47This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
 48
 49Setup instructions: https://ela.st/install-elastic-defend
 50
 51### Additional data sources
 52
 53This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
 54
 55- [Microsoft Defender XDR](https://ela.st/m365-defender)
 56- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
 57- [Sysmon Event ID 11 - File Create](https://ela.st/sysmon-event-11-setup)
 58"""
 59
 60references = [
 61    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
 62    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
 63]
 64risk_score = 47
 65rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
 66severity = "medium"
 67tags = [
 68    "Domain: Endpoint",
 69    "OS: Windows",
 70    "Use Case: Threat Detection",
 71    "Tactic: Initial Access",
 72    "Tactic: Lateral Movement",
 73    "Data Source: Elastic Endgame",
 74    "Use Case: Vulnerability",
 75    "Data Source: Elastic Defend",
 76    "Data Source: Sysmon",
 77    "Data Source: Microsoft Defender XDR",
 78    "Data Source: SentinelOne",
 79    "Resources: Investigation Guide",
 80]
 81timestamp_override = "event.ingested"
 82type = "eql"
 83
 84query = '''
 85file where host.os.type == "windows" and event.type == "creation" and
 86  process.name : ("UMWorkerProcess.exe", "umservice.exe") and
 87  file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
 88  (
 89    file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
 90
 91    (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
 92       not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
 93            file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
 94                        "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
 95
 96    (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
 97       not file.name : "TimeoutLogoff.aspx")
 98  )
 99'''
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104
105[[rule.threat.technique]]
106id = "T1190"
107name = "Exploit Public-Facing Application"
108reference = "https://attack.mitre.org/techniques/T1190/"
109
110[rule.threat.tactic]
111id = "TA0001"
112name = "Initial Access"
113reference = "https://attack.mitre.org/tactics/TA0001/"
114
115[[rule.threat]]
116framework = "MITRE ATT&CK"
117
118[[rule.threat.technique]]
119id = "T1210"
120name = "Exploitation of Remote Services"
121reference = "https://attack.mitre.org/techniques/T1210/"
122
123[rule.threat.tactic]
124id = "TA0008"
125name = "Lateral Movement"
126reference = "https://attack.mitre.org/tactics/TA0008/"
127
128[[rule.threat]]
129framework = "MITRE ATT&CK"
130
131[[rule.threat.technique]]
132id = "T1505"
133name = "Server Software Component"
134reference = "https://attack.mitre.org/techniques/T1505/"
135
136[[rule.threat.technique.subtechnique]]
137id = "T1505.003"
138name = "Web Shell"
139reference = "https://attack.mitre.org/techniques/T1505/003/"
140
141[rule.threat.tactic]
142id = "TA0003"
143name = "Persistence"
144reference = "https://attack.mitre.org/tactics/TA0003/"