This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
The following query detects downloads of powercat, an exploitation tool for PowerShell. Although associated with these zero-day attacks, powercat is a multi-purpose tool that is also used by other groups of attackers.
More queries related to this threat can be found under the See also section of this page.
DeviceProcessEvents | where FileName has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe") | where ProcessCommandLine endswith "powercat.ps1"This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | v | |
| Persistence | ||
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | v | |
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | v | |
| Impact | ||
| Vulnerability | ||
| Exploit | ||
| Misconfiguration | ||
| Malware, component | v | |
| Ransomware |
- Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
- Procdump dumping LSASS credentials
- 7-ZIP used by attackers to prepare data for exfiltration
- Exchange PowerShell snap-in being loaded
- Exchange vulnerability creating web shells via UMWorkerProcess
- Exchange Server IIS dropping web shells and other artifacts
- Exchange vulnerability launching subprocesses through UMWorkerProcess
- Base64-encoded Nishang commands for loading reverse shell
Contributor: Microsoft 365 Defender team