Microsoft Exchange Worker Spawning Suspicious Processes

calendar Apr 1, 2024 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Initial Access Tactic: Execution Data Source: Elastic Endgame Data Source: Elastic Defend Data Source: Sysmon  ·
Share on: linkedin copy

Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may indicate exploitation activity or access to an existing web shell backdoor.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2021/03/08"
 3integration = ["endpoint", "windows"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2024/03/28"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may
13indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Microsoft Exchange Worker Spawning Suspicious Processes"
20references = [
21    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
22    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
23    "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
24]
25risk_score = 73
26rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
27setup = """## Setup
28
29If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
30events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
31Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
32`event.ingested` to @timestamp.
33For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
34"""
35severity = "high"
36tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and
42  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
43  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
44  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
45'''
46
47
48[[rule.threat]]
49framework = "MITRE ATT&CK"
50[[rule.threat.technique]]
51id = "T1190"
52name = "Exploit Public-Facing Application"
53reference = "https://attack.mitre.org/techniques/T1190/"
54
55
56[rule.threat.tactic]
57id = "TA0001"
58name = "Initial Access"
59reference = "https://attack.mitre.org/tactics/TA0001/"
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1059"
65name = "Command and Scripting Interpreter"
66reference = "https://attack.mitre.org/techniques/T1059/"
67[[rule.threat.technique.subtechnique]]
68id = "T1059.001"
69name = "PowerShell"
70reference = "https://attack.mitre.org/techniques/T1059/001/"
71[[rule.threat.technique.subtechnique]]
72id = "T1059.003"
73name = "Windows Command Shell"
74reference = "https://attack.mitre.org/techniques/T1059/003/"
75
76
77[rule.threat.tactic]
78id = "TA0002"
79name = "Execution"
80reference = "https://attack.mitre.org/tactics/TA0002/"

References

  • https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers


    Read More

  • Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities

    [UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the [&hellip;]


    Read More

  • Detection and Response for HAFNIUM Activity

    Detection and Response for HAFNIUM Activity Executive summary On March 2, 2021, Microsoft released a security update for on-premises Exchange servers to address vulnerabilities being exploited. Security vendors are seeing these vulnerabilities being actively exploited, confirming an imminent threat of leaving systems un-patched. Elastic Security Intelligence & Analytics shares information about detections for this activity, and observations about exploitation in the wild. Details On March 2, 20...


    Read More

Related rules

to-top