Microsoft Exchange Server UM Spawning Suspicious Processes
editMicrosoft Exchange Server UM Spawning Suspicious Processes
editIdentifies suspicious processes being spawned by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26857.
Rule type: eql
Rule indices:
- logs-endpoint.events.process-*
- winlogbeat-*
- logs-windows.forwarded*
- logs-windows.sysmon_operational-*
- endgame-*
- logs-system.security*
- logs-m365_defender.event-*
- logs-sentinel_one_cloud_funnel.*
- logs-crowdstrike.fdr*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Initial Access
- Tactic: Lateral Movement
- Data Source: Elastic Endgame
- Use Case: Vulnerability
- Data Source: Elastic Defend
- Data Source: System
- Data Source: Microsoft Defender for Endpoint
- Data Source: Sysmon
- Data Source: SentinelOne
- Data Source: Crowdstrike
Version: 311
Rule authors:
- Elastic
- Austin Songer
Rule license: Elastic License v2
Rule query
editprocess where host.os.type == "windows" and event.type == "start" and process.parent.name : ("UMService.exe", "UMWorkerProcess.exe") and not process.executable : ( "?:\\Windows\\System32\\werfault.exe", "?:\\Windows\\System32\\wermgr.exe", "?:\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", "?:\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", "D:\\Exchange 2016\\Bin\\UMWorkerProcess.exe", "E:\\ExchangeServer\\Bin\\UMWorkerProcess.exe", "D:\\Exchange\\Bin\\UMWorkerProcess.exe", "D:\\Exchange Server\\Bin\\UMWorkerProcess.exe", "E:\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Windows\\System32\\werfault.exe", "\\Device\\HarddiskVolume?\\Windows\\System32\\wermgr.exe", "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\V??\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Program Files\\Microsoft\\Exchange Server\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Exchange 2016\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\ExchangeServer\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Exchange\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Exchange Server\\Bin\\UMWorkerProcess.exe", "\\Device\\HarddiskVolume?\\Exchange Server\\V15\\Bin\\UMWorkerProcess.exe" )
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Exploit Public-Facing Application
- ID: T1190
- Reference URL: https://attack.mitre.org/techniques/T1190/
-
Tactic:
- Name: Lateral Movement
- ID: TA0008
- Reference URL: https://attack.mitre.org/tactics/TA0008/
-
Technique:
- Name: Exploitation of Remote Services
- ID: T1210
- Reference URL: https://attack.mitre.org/techniques/T1210/