Microsoft Exchange Server UM Spawning Suspicious Processes
Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This
13activity has been observed exploiting CVE-2021-26857.
14"""
15false_positives = [
16 """
17 Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known
18 processes are causing false positives, they can be exempted from the rule.
19 """,
20]
21from = "now-9m"
22index = [
23 "logs-endpoint.events.process-*",
24 "winlogbeat-*",
25 "logs-windows.forwarded*",
26 "logs-windows.sysmon_operational-*",
27 "endgame-*",
28 "logs-system.security*",
29 "logs-m365_defender.event-*",
30 "logs-sentinel_one_cloud_funnel.*",
31 "logs-crowdstrike.fdr*",
32]
33language = "eql"
34license = "Elastic License v2"
35name = "Microsoft Exchange Server UM Spawning Suspicious Processes"
36references = [
37 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
38 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
39]
40risk_score = 47
41rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
42severity = "medium"
43tags = [
44 "Domain: Endpoint",
45 "OS: Windows",
46 "Use Case: Threat Detection",
47 "Tactic: Initial Access",
48 "Tactic: Lateral Movement",
49 "Data Source: Elastic Endgame",
50 "Use Case: Vulnerability",
51 "Data Source: Elastic Defend",
52 "Data Source: System",
53 "Data Source: Microsoft Defender for Endpoint",
54 "Data Source: Sysmon",
55 "Data Source: SentinelOne",
56 "Data Source: Crowdstrike",
57 "Resources: Investigation Guide",
58]
59timestamp_override = "event.ingested"
60type = "eql"
61
62query = '''
63process where host.os.type == "windows" and event.type == "start" and
64 process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
65 not process.executable : (
66 "?:\\Windows\\System32\\werfault.exe",
67 "?:\\Windows\\System32\\wermgr.exe",
68 "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
69 "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
70 "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
71 "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
72 "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
73 "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
74 "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe",
75 "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe",
76 "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe",
77 "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
78 "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
79 "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
80 "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
81 "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe",
82 "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe",
83 "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
84 )
85'''
86note = """## Triage and analysis
87
88> **Disclaimer**:
89> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
90
91### Investigating Microsoft Exchange Server UM Spawning Suspicious Processes
92
93Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts.
94
95### Possible investigation steps
96
97- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria.
98- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access.
99- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server.
100- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed.
101- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise.
102- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process.
103
104### False positive analysis
105
106- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files.
107- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe.
108- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts.
109- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance.
110- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations.
111
112### Response and remediation
113
114- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary.
115- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list.
116- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities.
117- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts.
118- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise.
119- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline.
120- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected."""
121
122
123[[rule.threat]]
124framework = "MITRE ATT&CK"
125[[rule.threat.technique]]
126id = "T1190"
127name = "Exploit Public-Facing Application"
128reference = "https://attack.mitre.org/techniques/T1190/"
129
130
131[rule.threat.tactic]
132id = "TA0001"
133name = "Initial Access"
134reference = "https://attack.mitre.org/tactics/TA0001/"
135[[rule.threat]]
136framework = "MITRE ATT&CK"
137[[rule.threat.technique]]
138id = "T1210"
139name = "Exploitation of Remote Services"
140reference = "https://attack.mitre.org/techniques/T1210/"
141
142
143[rule.threat.tactic]
144id = "TA0008"
145name = "Lateral Movement"
146reference = "https://attack.mitre.org/tactics/TA0008/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating Microsoft Exchange Server UM Spawning Suspicious Processes
Microsoft Exchange Server's Unified Messaging (UM) integrates voice messaging with email, allowing users to access voicemails via their inbox. Adversaries exploit vulnerabilities like CVE-2021-26857 to execute unauthorized processes, potentially leading to system compromise. The detection rule identifies unusual processes initiated by UM services, excluding known legitimate executables, to flag potential exploitation attempts.
Possible investigation steps
- Review the alert details to confirm the process parent name is either "UMService.exe" or "UMWorkerProcess.exe" and verify the process executable path is not among the known legitimate paths listed in the exclusion criteria.
- Gather additional context by checking the process command line arguments and the user account under which the suspicious process was executed to identify any anomalies or unauthorized access.
- Investigate the historical activity of the host by reviewing recent logs for any other unusual or unauthorized processes, especially those related to the Microsoft Exchange Server.
- Check for any recent patches or updates applied to the Microsoft Exchange Server to ensure that vulnerabilities like CVE-2021-26857 have been addressed.
- Correlate the alert with other security tools and data sources such as Microsoft Defender for Endpoint or Sysmon to identify any related suspicious activities or indicators of compromise.
- Assess the network activity from the host to detect any potential lateral movement or data exfiltration attempts that might be associated with the suspicious process.
False positive analysis
- Legitimate UM service updates or patches may trigger the rule. Regularly update the list of known legitimate executables to include new or updated UM service files.
- Custom scripts or monitoring tools that interact with UM services might be flagged. Identify these scripts and add their executables to the exclusion list if they are verified as safe.
- Non-standard installation paths for Exchange Server can cause false positives. Ensure that all legitimate installation paths are included in the exclusion list to prevent unnecessary alerts.
- Administrative tasks performed by IT staff using command-line tools may be misidentified. Document these tasks and consider excluding the associated executables if they are part of routine maintenance.
- Third-party integrations with Exchange Server that spawn processes could be flagged. Verify these integrations and exclude their executables if they are deemed secure and necessary for business operations.
Response and remediation
- Isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement by the adversary.
- Terminate any suspicious processes identified as being spawned by the UM service that are not part of the known legitimate executables list.
- Apply the latest security patches and updates to the Microsoft Exchange Server to address CVE-2021-26857 and any other known vulnerabilities.
- Conduct a thorough review of the server's security logs and network traffic to identify any additional indicators of compromise or unauthorized access attempts.
- Restore the server from a known good backup taken before the suspicious activity was detected, ensuring that the backup is free from compromise.
- Implement enhanced monitoring and alerting for any future suspicious processes spawned by the UM service, using the detection rule as a baseline.
- Escalate the incident to the organization's security operations center (SOC) or incident response team for further investigation and to determine if additional systems may be affected.
References
Related rules
- Mounting Hidden or WebDav Remote Shares
- Unusual Child Process of dns.exe
- Command Execution via SolarWinds Process
- Execution via TSClient Mountpoint
- Microsoft Exchange Server UM Writing Suspicious Files