Microsoft Exchange Worker Spawning Suspicious Processes

  1[metadata]
  2creation_date = "2021/03/08"
  3integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
  4maturity = "production"
  5updated_date = "2026/05/03"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies suspicious processes being spawned by the Microsoft Exchange Server worker process (w3wp). This activity may
 11indicate exploitation activity or access to an existing web shell backdoor.
 12"""
 13from = "now-9m"
 14index = [
 15    "logs-endpoint.events.process-*",
 16    "winlogbeat-*",
 17    "logs-windows.sysmon_operational-*",
 18    "endgame-*",
 19    "logs-m365_defender.event-*",
 20    "logs-sentinel_one_cloud_funnel.*",
 21]
 22language = "eql"
 23license = "Elastic License v2"
 24name = "Microsoft Exchange Worker Spawning Suspicious Processes"
 25references = [
 26    "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
 27    "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
 28    "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
 29]
 30risk_score = 73
 31rule_id = "f81ee52c-297e-46d9-9205-07e66931df26"
 32severity = "high"
 33tags = [
 34    "Domain: Endpoint",
 35    "OS: Windows",
 36    "Use Case: Threat Detection",
 37    "Tactic: Initial Access",
 38    "Data Source: Elastic Endgame",
 39    "Data Source: Elastic Defend",
 40    "Data Source: Sysmon",
 41    "Data Source: Microsoft Defender XDR",
 42    "Data Source: SentinelOne",
 43    "Resources: Investigation Guide",
 44]
 45timestamp_override = "event.ingested"
 46type = "eql"
 47
 48query = '''
 49process where host.os.type == "windows" and event.type == "start" and
 50  process.parent.name : "w3wp.exe" and process.parent.args : "MSExchange*AppPool" and
 51  (
 52    (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe") or
 53    ?process.pe.original_file_name in ("Cmd.Exe", "PowerShell.EXE", "pwsh.dll", "powershell_ise.EXE"))
 54  )
 55'''
 56
 57note = """## Triage and analysis
 58
 59### Investigating Microsoft Exchange Worker Spawning Suspicious Processes
 60
 61#### Possible investigation steps
 62
 63- What Exchange worker-child path did the alert capture?
 64  - Focus: child `process.executable` and `process.command_line`; worker `process.parent.executable`, `process.parent.args`, and `process.parent.command_line`; exact MSExchange app pool.
 65  - Implication: escalate when an Exchange app pool launches shell/PowerShell for execution, download, discovery, or staging; lower suspicion only when parent arguments and child command match one narrow maintenance task with no webshell or RCE indicators.
 66- What intent does the shell or PowerShell command show?
 67  - Focus: `process.command_line`; encoded or inline execution, download cradles, archive/export, discovery, Set-OabVirtualDirectory, mailbox access, or FrontEnd\\HttpProxy, aspnet_client, web.config, and applicationHost.config paths.
 68  - Implication: escalate on payload retrieval, web-root staging, credential access, account changes, mailbox export, cleanup, or lateral movement; lower suspicion only for one bounded recognized Exchange maintenance or validation action.
 69- Does token and session context support human administration or service-context abuse?
 70  - Why: w3wp.exe children often inherit app-pool or service identity, so user fields alone do not prove human administration.
 71  - Focus: `user.id`, `user.name`, `user.domain`, `process.Ext.session_info.logon_type`, and `process.Ext.authentication_id`.
 72  - Implication: escalate when a service, app-pool, or unexpected logon context launches interactive shell behavior or remote administration; lower suspicion only when identity, session type, and command scope match the same recognized workflow.
 73- Is the child binary expected or masqueraded?
 74  - Focus: `process.executable`, `process.hash.sha256`, `process.pe.original_file_name`, `process.code_signature.subject_name`, and `process.code_signature.trusted`.
 75  - Implication: escalate when the child is renamed, user-writable, unsigned or untrusted, hash-new for the server, or mismatched to PE original name; a trusted Microsoft shell lowers identity concern but does not clear the unusual chain.
 76- If process evidence is suspicious or unresolved, did file evidence show webshells or artifacts?
 77  - Focus: with endpoint file telemetry, scope by `host.id` + `process.entity_id`, or `host.id` + `process.pid` + tight alert window if absent; inspect `file.path`, `file.Ext.original.path`, `file.origin_url`, and `file.Ext.windows.zone_identifier` for ASPX, scripts, binaries, DLLs, archives, or output under Exchange/IIS paths. $investigate_1
 78  - Hint: check whether a written `file.path` later appears as `process.executable`; missing file telemetry limits proof but is not benign.
 79  - Implication: escalate when the child writes new or modified ASPX, scripts, binaries, DLLs, archives, or output under Exchange FrontEnd\\HttpProxy, IIS aspnet_client, temp, or web-root paths; lower suspicion only when file activity stays inside the exact maintenance path with no web-content or payload staging.
 80- If process evidence is suspicious or unresolved, did network evidence show retrieval or callback?
 81  - Focus: with endpoint network telemetry, scope DNS and connections by `host.id` + `process.entity_id`, or `host.id` + `process.pid` + tight alert window if absent; read DNS (`dns.question.name`, `dns.resolved_ip`) separately from connections (`destination.ip`, `destination.port`). $investigate_2
 82  - Hint: map `dns.resolved_ip` to `destination.ip` before deciding whether the same process reached it. Missing network telemetry is unresolved, not benign.
 83  - Implication: escalate when the child downloads tools, reaches public staging or callback infrastructure, or connects to systems unrelated to the Exchange task; lower suspicion only when destinations are internal, proxy, or vendor services fitting the same bounded workflow.
 84- Does same-worker or same-host scope show broader Exchange compromise?
 85  - Focus: surrounding same-worker process starts and related alerts on `host.id` or `user.id`, especially `process.parent.executable`, `process.parent.args`, `process.command_line`, and `process.hash.sha256` for repeated w3wp.exe descendants, credential dumping, account changes, archiving, cleanup, or side-loading chains.
 86    - $investigate_3
 87    - $investigate_0
 88    - $investigate_4
 89  - Implication: escalate scope when the host shows credential dumping, account changes, archive creation, cleanup, lateral movement, or repeated Exchange worker children; keep local only when surrounding process evidence and related alerts stay confined to the same recognized maintenance window.
 90- Escalate on unexplained server-side execution, suspicious command intent, payload staging, suspicious destinations, or broader host compromise; close only when all available evidence aligns with one recognized Exchange workflow on this host; preserve artifacts and escalate when evidence is mixed or visibility incomplete.
 91
 92### False positive analysis
 93
 94- Recognized Exchange maintenance or controlled validation is the bounded benign path. Confirm only when `process.parent.args`, child `process.command_line`, `process.executable`, `process.hash.sha256`, `process.code_signature.subject_name`, `user.id`, and `host.id` align with one task, and any `file.path`, `dns.question.name`, or `destination.ip` evidence shows no payload staging or external callback. Use change records as corroboration; otherwise require recurring prior alerts with the same parent arguments, command pattern, child identity, user, host, and no contradictory artifacts or destinations.
 95- Build exceptions only from the minimum confirmed pattern: `process.parent.args`, child `process.executable` or `process.hash.sha256`, `process.code_signature.subject_name`, stable `process.command_line` fragment, `user.id`, `host.id`, and any bounded artifact or destination pattern distinguishing the benign task. Avoid exceptions on "w3wp.exe", `process.name`, or `host.id` alone.
 96
 97### Response and remediation
 98
 99- If confirmed benign, reverse temporary containment and document the exact evidence that validated the workflow: `process.parent.args`, child `process.executable`, `process.command_line`, `user.id`, `host.id`, and any bounded artifact or destination pattern. Create an exception only after the same pattern is stable across prior alerts from this rule.
100- If suspicious but unconfirmed, preserve the alert, process tree, child `process.entity_id` or `process.pid`, `process.command_line`, parent `process.parent.entity_id`, `process.parent.args`, child hash and signer, `user.id`, `host.id`, and any staged artifacts, destinations, or IIS/Exchange log snippets before containment. Apply reversible containment first: block confirmed malicious destinations, restrict external access to the implicated Exchange service, or increase monitoring. Isolate only when active compromise evidence and server criticality justify disruption.
101- If confirmed malicious, contain the Exchange server or exposed service path based on the process, artifact, destination, and same-host evidence already preserved. Record process and artifact identifiers before terminating the child, then block confirmed malicious domains, IPs, and hashes.
102- Eradicate only the webshells, scripts, archives, scheduled tasks, dropped utilities, and configuration changes identified during triage. Restore modified Exchange or IIS content from known-good state, patch the Exchange server, review the virtual directories and app pools implicated by `process.parent.args`, and rotate Exchange, application, or service credentials if credential access, configuration theft, or mailbox export was involved.
103- Retain the related process, file, network, IIS, and Exchange logs that supported the decision. Document any adjacent variant or telemetry gap, such as missing endpoint file/network events or unavailable IIS request logs, for the detection engineering team.
104"""
105
106setup = """## Setup
107
108This rule is designed for data generated by [Elastic Defend](https://www.elastic.co/security/endpoint-security), which provides native endpoint detection and response, along with event enrichments designed to work with our detection rules.
109
110Setup instructions: https://ela.st/install-elastic-defend
111
112### Additional data sources
113
114This rule also supports the following third-party data sources. For setup instructions, refer to the links below:
115
116- [Microsoft Defender XDR](https://ela.st/m365-defender)
117- [SentinelOne Cloud Funnel](https://ela.st/sentinel-one-cloud-funnel)
118- [Sysmon Event ID 1 - Process Creation](https://ela.st/sysmon-event-1-setup)
119"""
120
121[rule.investigation_fields]
122field_names = [
123    "@timestamp",
124    "host.name",
125    "host.id",
126    "user.id",
127    "process.entity_id",
128    "process.pid",
129    "process.executable",
130    "process.command_line",
131    "process.pe.original_file_name",
132    "process.hash.sha256",
133    "process.code_signature.subject_name",
134    "process.code_signature.trusted",
135    "process.parent.entity_id",
136    "process.parent.executable",
137    "process.parent.args",
138]
139
140[transform]
141
142[[transform.investigate]]
143label = "Alerts associated with the host"
144description = ""
145providers = [
146  [
147    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
148    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
149  ]
150]
151relativeFrom = "now-48h/h"
152relativeTo = "now"
153
154[[transform.investigate]]
155label = "File events for the suspicious child process"
156description = ""
157providers = [
158  [
159    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" },
160    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
161    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
162  ]
163]
164relativeFrom = "now-1h"
165relativeTo = "now"
166
167[[transform.investigate]]
168label = "Network events for the suspicious child process"
169description = ""
170providers = [
171  [
172    { excluded = false, field = "event.category", queryType = "phrase", value = "network", valueType = "string" },
173    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
174    { excluded = false, field = "process.entity_id", queryType = "phrase", value = "{{process.entity_id}}", valueType = "string" }
175  ]
176]
177relativeFrom = "now-1h"
178relativeTo = "now"
179
180[[transform.investigate]]
181label = "Process events from the same Exchange worker"
182description = ""
183providers = [
184  [
185    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" },
186    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
187    { excluded = false, field = "process.parent.entity_id", queryType = "phrase", value = "{{process.parent.entity_id}}", valueType = "string" }
188  ]
189]
190relativeFrom = "now-1h"
191relativeTo = "now"
192
193[[transform.investigate]]
194label = "Alerts associated with the user"
195description = ""
196providers = [
197  [
198    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
199    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
200  ]
201]
202relativeFrom = "now-48h/h"
203relativeTo = "now"
204
205[[rule.threat]]
206framework = "MITRE ATT&CK"
207
208[[rule.threat.technique]]
209id = "T1190"
210name = "Exploit Public-Facing Application"
211reference = "https://attack.mitre.org/techniques/T1190/"
212
213[rule.threat.tactic]
214id = "TA0001"
215name = "Initial Access"
216reference = "https://attack.mitre.org/tactics/TA0001/"
217
218[[rule.threat]]
219framework = "MITRE ATT&CK"
220
221[[rule.threat.technique]]
222id = "T1059"
223name = "Command and Scripting Interpreter"
224reference = "https://attack.mitre.org/techniques/T1059/"
225
226[[rule.threat.technique.subtechnique]]
227id = "T1059.001"
228name = "PowerShell"
229reference = "https://attack.mitre.org/techniques/T1059/001/"
230
231[[rule.threat.technique.subtechnique]]
232id = "T1059.003"
233name = "Windows Command Shell"
234reference = "https://attack.mitre.org/techniques/T1059/003/"
235
236[rule.threat.tactic]
237id = "TA0002"
238name = "Execution"
239reference = "https://attack.mitre.org/tactics/TA0002/"
240
241[[rule.threat]]
242framework = "MITRE ATT&CK"
243
244[[rule.threat.technique]]
245id = "T1505"
246name = "Server Software Component"
247reference = "https://attack.mitre.org/techniques/T1505/"
248
249[[rule.threat.technique.subtechnique]]
250id = "T1505.003"
251name = "Web Shell"
252reference = "https://attack.mitre.org/techniques/T1505/003/"
253
254[rule.threat.tactic]
255id = "TA0003"
256name = "Persistence"
257reference = "https://attack.mitre.org/tactics/TA0003/"