Microsoft Exchange Worker Spawning Suspicious Processes

  1[metadata]
  2creation_date = "2021/03/08"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2025/03/20"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may
 11indicate exploitation activity or access to an existing web shell backdoor.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Microsoft Exchange Worker Spawning Suspicious Processes"
 25note = """## Triage and analysis
 26
 27> **Disclaimer**:
 28> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 29
 30### Investigating Microsoft Exchange Worker Spawning Suspicious Processes
 31
 32Microsoft Exchange Server uses the worker process (w3wp.exe) to handle web requests, often running under specific application pools. Adversaries exploit this by executing malicious scripts or commands, potentially via web shells, to gain unauthorized access or execute arbitrary code. The detection rule identifies unusual child processes like command-line interpreters spawned by w3wp.exe, signaling possible exploitation or backdoor activity.
 33
 34### Possible investigation steps
 35
 36- Review the alert details to confirm the parent process is w3wp.exe and check if the process arguments include "MSExchange*AppPool" to ensure the alert is relevant to Microsoft Exchange.
 37- Examine the child process details, focusing on the process names and original file names such as cmd.exe, powershell.exe, pwsh.exe, and powershell_ise.exe, to identify any unauthorized or unexpected command-line activity.
 38- Investigate the timeline of events leading up to the alert, including any preceding or subsequent processes, to understand the context and potential impact of the suspicious activity.
 39- Check for any associated network activity or connections initiated by the suspicious processes to identify potential data exfiltration or communication with external command and control servers.
 40- Review recent changes or access logs on the affected Exchange server to identify any unauthorized access attempts or modifications that could indicate exploitation or the presence of a web shell.
 41- Correlate the alert with other security events or logs from data sources like Elastic Endgame, Elastic Defend, Sysmon, Microsoft Defender for Endpoint, or SentinelOne to gather additional context and corroborate findings.
 42- Assess the risk and impact of the detected activity, considering the severity and risk score, and determine appropriate response actions, such as isolating the affected system or conducting a deeper forensic analysis.
 43
 44### False positive analysis
 45
 46- Routine administrative tasks may trigger the rule if administrators use command-line tools like cmd.exe or powershell.exe for legitimate maintenance. To manage this, create exceptions for known administrative accounts or specific IP addresses that regularly perform these tasks.
 47- Scheduled tasks or scripts that run under the MSExchangeAppPool context might spawn command-line interpreters as part of their normal operation. Identify these tasks and exclude them by specifying their unique process arguments or command lines.
 48- Monitoring or backup software that interacts with Exchange Server could inadvertently trigger the rule. Review the software's documentation to confirm its behavior and exclude its processes by name or hash if they are verified as safe.
 49- Custom applications or integrations that interact with Exchange Server and use command-line tools for automation may also cause false positives. Work with application developers to understand these interactions and exclude them based on process names or specific command-line patterns.
 50- If a known security tool or script is used to test Exchange Server's security posture, it might mimic suspicious behavior. Document these tools and exclude their processes during scheduled testing periods to avoid false alerts.
 51
 52### Response and remediation
 53
 54- Immediately isolate the affected Microsoft Exchange Server from the network to prevent further unauthorized access or lateral movement.
 55- Terminate any suspicious processes identified as being spawned by w3wp.exe, such as cmd.exe or powershell.exe, to halt any ongoing malicious activity.
 56- Conduct a thorough review of the server's application pools and web directories to identify and remove any unauthorized web shells or scripts.
 57- Restore the server from a known good backup taken before the suspicious activity was detected to ensure system integrity.
 58- Apply the latest security patches and updates to the Microsoft Exchange Server to mitigate known vulnerabilities and prevent exploitation.
 59- Monitor network traffic and server logs for any signs of continued or attempted exploitation, focusing on unusual outbound connections or repeated access attempts.
 60- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems have been compromised."""
 61references = [
 62    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
 63    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
 64    "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
 65]
 66risk_score = 73
 67rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
 68severity = "high"
 69tags = [
 70    "Domain: Endpoint",
 71    "OS: Windows",
 72    "Use Case: Threat Detection",
 73    "Tactic: Initial Access",
 74    "Tactic: Execution",
 75    "Data Source: Elastic Endgame",
 76    "Data Source: Elastic Defend",
 77    "Data Source: Sysmon",
 78    "Data Source: Microsoft Defender for Endpoint",
 79    "Data Source: SentinelOne",
 80    "Resources: Investigation Guide",
 81]
 82timestamp_override = "event.ingested"
 83type = "eql"
 84
 85query = '''
 86process where host.os.type == "windows" and event.type == "start" and
 87  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
 88  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
 89  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
 90'''
 91
 92
 93[[rule.threat]]
 94framework = "MITRE ATT&CK"
 95[[rule.threat.technique]]
 96id = "T1190"
 97name = "Exploit Public-Facing Application"
 98reference = "https://attack.mitre.org/techniques/T1190/"
 99
100
101[rule.threat.tactic]
102id = "TA0001"
103name = "Initial Access"
104reference = "https://attack.mitre.org/tactics/TA0001/"
105[[rule.threat]]
106framework = "MITRE ATT&CK"
107[[rule.threat.technique]]
108id = "T1059"
109name = "Command and Scripting Interpreter"
110reference = "https://attack.mitre.org/techniques/T1059/"
111[[rule.threat.technique.subtechnique]]
112id = "T1059.001"
113name = "PowerShell"
114reference = "https://attack.mitre.org/techniques/T1059/001/"
115
116[[rule.threat.technique.subtechnique]]
117id = "T1059.003"
118name = "Windows Command Shell"
119reference = "https://attack.mitre.org/techniques/T1059/003/"
120
121
122
123[rule.threat.tactic]
124id = "TA0002"
125name = "Execution"
126reference = "https://attack.mitre.org/tactics/TA0002/"