Microsoft Exchange Server UM Writing Suspicious Files
Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity
13has been observed exploiting CVE-2021-26858.
14"""
15false_positives = [
16 """
17 Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
18 """,
19 """
20 This rule was tuned using the following baseline:
21 https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from
22 Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to
23 help determine normalcy.
24 """,
25]
26from = "now-9m"
27index = ["winlogbeat-*", "logs-endpoint.events.file-*", "logs-windows.sysmon_operational-*", "endgame-*"]
28language = "eql"
29license = "Elastic License v2"
30name = "Microsoft Exchange Server UM Writing Suspicious Files"
31note = """## Triage and analysis
32
33Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).
34
35Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems
36from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support
37[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
38"""
39references = [
40 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
41 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
42]
43risk_score = 47
44rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
45setup = """## Setup
46
47If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
48events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
49Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
50`event.ingested` to @timestamp.
51For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
52"""
53severity = "medium"
54tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend", "Data Source: Sysmon"]
55timestamp_override = "event.ingested"
56type = "eql"
57
58query = '''
59file where host.os.type == "windows" and event.type == "creation" and
60 process.name : ("UMWorkerProcess.exe", "umservice.exe") and
61 file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
62 (
63 file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
64
65 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
66 not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
67 file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
68 "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
69
70 (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
71 not file.name : "TimeoutLogoff.aspx")
72 )
73'''
74
75
76[[rule.threat]]
77framework = "MITRE ATT&CK"
78[[rule.threat.technique]]
79id = "T1190"
80name = "Exploit Public-Facing Application"
81reference = "https://attack.mitre.org/techniques/T1190/"
82
83
84[rule.threat.tactic]
85id = "TA0001"
86name = "Initial Access"
87reference = "https://attack.mitre.org/tactics/TA0001/"
88
89
90[[rule.threat]]
91framework = "MITRE ATT&CK"
92[[rule.threat.technique]]
93id = "T1210"
94name = "Exploitation of Remote Services"
95reference = "https://attack.mitre.org/techniques/T1210/"
96
97
98[rule.threat.tactic]
99id = "TA0008"
100name = "Lateral Movement"
101reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Positive hits can be checked against the established Microsoft baselines.
Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support repository
References
Related rules
- Microsoft Exchange Server UM Spawning Suspicious Processes
- Unusual File Modification by dns.exe
- First Time Seen Removable Device
- Lateral Movement via Startup Folder
- Local Account TokenFilter Policy Disabled