Microsoft Exchange Server UM Writing Suspicious Files
Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity
13has been observed exploiting CVE-2021-26858.
14"""
15false_positives = [
16 """
17 Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
18 """,
19 """
20 This rule was tuned using the following baseline:
21 https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from
22 Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to
23 help determine normalcy.
24 """,
25]
26from = "now-9m"
27index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*", "endgame-*"]
28language = "eql"
29license = "Elastic License v2"
30name = "Microsoft Exchange Server UM Writing Suspicious Files"
31note = """## Triage and analysis
32
33Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).
34
35Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems
36from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support
37[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
38
39
40"""
41references = [
42 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
43 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
44]
45risk_score = 47
46rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
47setup="""
48
49If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
50events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
51Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
52`event.ingested` to @timestamp.
53For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
54"""
55severity = "medium"
56tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
57timestamp_override = "event.ingested"
58type = "eql"
59
60query = '''
61file where host.os.type == "windows" and event.type == "creation" and
62 process.name : ("UMWorkerProcess.exe", "umservice.exe") and
63 file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
64 (
65 file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
66
67 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
68 not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
69 file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
70 "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
71
72 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
73 not file.name : "TimeoutLogoff.aspx")
74 )
75'''
76
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1190"
82name = "Exploit Public-Facing Application"
83reference = "https://attack.mitre.org/techniques/T1190/"
84
85
86[rule.threat.tactic]
87id = "TA0001"
88name = "Initial Access"
89reference = "https://attack.mitre.org/tactics/TA0001/"
90
91
92[[rule.threat]]
93framework = "MITRE ATT&CK"
94[[rule.threat.technique]]
95id = "T1210"
96name = "Exploitation of Remote Services"
97reference = "https://attack.mitre.org/techniques/T1210/"
98
99
100[rule.threat.tactic]
101id = "TA0008"
102name = "Lateral Movement"
103reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Positive hits can be checked against the established Microsoft baselines.
Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support repository
References
-
[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]
Read More
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Mounting Hidden or WebDav Remote Shares
- Unusual Child Process of dns.exe
- Unusual File Modification by dns.exe
- Command Execution via SolarWinds Process