Microsoft Exchange Worker Spawning Suspicious Processes

Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/03/08"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/03/06"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may
13indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Microsoft Exchange Worker Spawning Suspicious Processes"
20note = """## Setup
21
22If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define `event.ingested` and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate `event.ingested` to @timestamp for this rule to work.
23"""
24references = [
25    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
26    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
27    "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
28]
29risk_score = 73
30rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
31severity = "high"
32tags = ["Elastic", "Host", "Windows", "Threat Detection", "Initial Access", "Elastic Endgame"]
33timestamp_override = "event.ingested"
34type = "eql"
35
36query = '''
37process where host.os.type == "windows" and event.type == "start" and
38  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
39  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
40  process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
41'''
42
43
44[[rule.threat]]
45framework = "MITRE ATT&CK"
46[[rule.threat.technique]]
47id = "T1190"
48name = "Exploit Public-Facing Application"
49reference = "https://attack.mitre.org/techniques/T1190/"
50
51
52[rule.threat.tactic]
53id = "TA0001"
54name = "Initial Access"
55reference = "https://attack.mitre.org/tactics/TA0001/"

Setup

If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2, events will not define event.ingested and default fallback for EQL rules was not added until 8.2, so you will need to add a custom pipeline to populate event.ingested to @timestamp for this rule to work.

to-top