Microsoft Exchange Server UM Spawning Suspicious Processes

 1[metadata]
 2creation_date = "2021/03/04"
 3integration = ["endpoint", "windows", "system"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic", "Austin Songer"]
11description = """
12Identifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This
13activity has been observed exploiting CVE-2021-26857.
14"""
15false_positives = [
16    """
17    Legitimate processes may be spawned from the Microsoft Exchange Server Unified Messaging (UM) service. If known
18    processes are causing false positives, they can be exempted from the rule.
19    """,
20]
21from = "now-9m"
22index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.*", "endgame-*", "logs-system.security*"]
23language = "eql"
24license = "Elastic License v2"
25name = "Microsoft Exchange Server UM Spawning Suspicious Processes"
26references = [
27    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
28    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
29]
30risk_score = 47
31rule_id = "483c4daf-b0c6-49e0-adf3-0bfa93231d6b"
32setup = """## Setup
33
34If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
35events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
36Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
37`event.ingested` to @timestamp.
38For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
39"""
40severity = "medium"
41tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Lateral Movement", "Data Source: Elastic Endgame", "Use Case: Vulnerability", "Data Source: Elastic Defend"]
42timestamp_override = "event.ingested"
43type = "eql"
44
45query = '''
46process where host.os.type == "windows" and event.type == "start" and
47  process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and
48    not process.executable :
49              ("?:\\Windows\\System32\\werfault.exe",
50               "?:\\Windows\\System32\\wermgr.exe",
51               "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe",
52               "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe",
53               "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe",
54               "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe",
55               "D:\\Exchange\\Bin\\UMWorkerProcess.exe",
56               "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe",
57               "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe")
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1190"
65name = "Exploit Public-Facing Application"
66reference = "https://attack.mitre.org/techniques/T1190/"
67
68
69[rule.threat.tactic]
70id = "TA0001"
71name = "Initial Access"
72reference = "https://attack.mitre.org/tactics/TA0001/"
73
74[[rule.threat]]
75framework = "MITRE ATT&CK"
76[[rule.threat.technique]]
77id = "T1210"
78name = "Exploitation of Remote Services"
79reference = "https://attack.mitre.org/techniques/T1210/"
80
81
82[rule.threat.tactic]
83id = "TA0008"
84name = "Lateral Movement"
85reference = "https://attack.mitre.org/tactics/TA0008/"