Microsoft Exchange Server UM Spawning Suspicious Processes
Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2021/03/04"
3integration = ["endpoint", "windows", "system"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic", "Austin Songer"]
9description = """
10Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This
11activity has been observed exploiting CVE-2021-26857.
12"""
13false_positives = [
14 """
15 Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known
16 processes are causing false positives, they can be exempted from the rule.
17 """,
18]
19from = "now-9m"
20index = [
21 "logs-endpoint.events.process-*",
22 "winlogbeat-*",
23 "logs-windows.*",
24 "endgame-*",
25 "logs-system.security*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "Microsoft Exchange Server UM Spawning Suspicious Processes"
30references = [
31 "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
32 "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
33]
34risk_score = 47
35rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
36setup = """## Setup
37
38If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
39events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
40Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
41`event.ingested` to @timestamp.
42For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
43"""
44severity = "medium"
45tags = [
46 "Domain: Endpoint",
47 "OS: Windows",
48 "Use Case: Threat Detection",
49 "Tactic: Initial Access",
50 "Tactic: Lateral Movement",
51 "Data Source: Elastic Endgame",
52 "Use Case: Vulnerability",
53 "Data Source: Elastic Defend",
54]
55timestamp_override = "event.ingested"
56type = "eql"
57
58query = '''
59process where host.os.type == "windows" and event.type == "start" and
60 process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
61 not process.executable :
62 ("?:\\Windows\\System32\\werfault.exe",
63 "?:\\Windows\\System32\\wermgr.exe",
64 "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
65 "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
66 "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
67 "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
68 "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
69 "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
70 "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe")
71'''
72
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1190"
78name = "Exploit Public-Facing Application"
79reference = "https://attack.mitre.org/techniques/T1190/"
80
81
82[rule.threat.tactic]
83id = "TA0001"
84name = "Initial Access"
85reference = "https://attack.mitre.org/tactics/TA0001/"
86[[rule.threat]]
87framework = "MITRE ATT&CK"
88[[rule.threat.technique]]
89id = "T1210"
90name = "Exploitation of Remote Services"
91reference = "https://attack.mitre.org/techniques/T1210/"
92
93
94[rule.threat.tactic]
95id = "TA0008"
96name = "Lateral Movement"
97reference = "https://attack.mitre.org/tactics/TA0008/"
References
Related rules
- Microsoft Exchange Server UM Writing Suspicious Files
- Mounting Hidden or WebDav Remote Shares
- Unusual Child Process of dns.exe
- Unusual File Modification by dns.exe
- Command Execution via SolarWinds Process