Microsoft Exchange Server UM Spawning Suspicious Processes
Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/10/31"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This
13activity has been observed exploiting CVE-2021-26857.
14"""
15false_positives = [
16 """
17 Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known
18 processes are causing false positives, they can be exempted from the rule.
19 """,
20]
21from = "now-9m"
22index = [
23 "logs-endpoint.events.process-*",
24 "winlogbeat-*",
25 "logs-windows.forwarded*",
26 "logs-windows.sysmon_operational-*",
27 "endgame-*",
28 "logs-system.security*",
29 "logs-m365_defender.event-*",
30 "logs-sentinel_one_cloud_funnel.*",
31 "logs-crowdstrike.fdr*",
32]
33language = "eql"
34license = "Elastic License v2"
35name = "Microsoft Exchange Server UM Spawning Suspicious Processes"
36references = [
37 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
38 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
39]
40risk_score = 47
41rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
42severity = "medium"
43tags = [
44 "Domain: Endpoint",
45 "OS: Windows",
46 "Use Case: Threat Detection",
47 "Tactic: Initial Access",
48 "Tactic: Lateral Movement",
49 "Data Source: Elastic Endgame",
50 "Use Case: Vulnerability",
51 "Data Source: Elastic Defend",
52 "Data Source: System",
53 "Data Source: Microsoft Defender for Endpoint",
54 "Data Source: Sysmon",
55 "Data Source: SentinelOne",
56 "Data Source: Crowdstrike",
57]
58timestamp_override = "event.ingested"
59type = "eql"
60
61query = '''
62process where host.os.type == "windows" and event.type == "start" and
63 process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
64 not process.executable : (
65 "?:\\Windows\\System32\\werfault.exe",
66 "?:\\Windows\\System32\\wermgr.exe",
67 "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
68 "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
69 "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
70 "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
71 "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
72 "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
73 "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe",
74 "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe",
75 "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe",
76 "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
77 "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
78 "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
79 "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
80 "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe",
81 "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe",
82 "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe"
83 )
84'''
85
86
87[[rule.threat]]
88framework = "MITRE ATT&CK"
89[[rule.threat.technique]]
90id = "T1190"
91name = "Exploit Public-Facing Application"
92reference = "https://attack.mitre.org/techniques/T1190/"
93
94
95[rule.threat.tactic]
96id = "TA0001"
97name = "Initial Access"
98reference = "https://attack.mitre.org/tactics/TA0001/"
99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1210"
103name = "Exploitation of Remote Services"
104reference = "https://attack.mitre.org/techniques/T1210/"
105
106
107[rule.threat.tactic]
108id = "TA0008"
109name = "Lateral Movement"
110reference = "https://attack.mitre.org/tactics/TA0008/"
References
-
[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]
Read More
Related rules
- Unusual Child Process of dns.exe
- Execution via TSClient Mountpoint
- Remote File Copy to a Hidden Share
- Suspicious Execution from INET Cache
- Suspicious MS Office Child Process