This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
The following query detects unusual file content being created by UMWorkerProcess, the Exchange Unified Messaging service. This might indicated that CVE-2021-26858 is being exploited to generate a web shell.
More queries related to this threat can be found under the See also section of this page.
DeviceFileEvents
| where InitiatingProcessFileName == "UMWorkerProcess.exe"
| where FileName !in~("CacheCleanup.bin", "cleanup.bin")
| where FileName !endswith ".txt"
| where FileName !endswith ".LOG"
| where FileName !endswith ".cfg"This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
| Technique, tactic, or state | Covered? (v=yes) | Notes |
|---|---|---|
| Initial access | ||
| Execution | v | |
| Persistence | v | |
| Privilege escalation | ||
| Defense evasion | ||
| Credential Access | ||
| Discovery | ||
| Lateral movement | ||
| Collection | ||
| Command and control | ||
| Exfiltration | ||
| Impact | ||
| Vulnerability | ||
| Exploit | v | |
| Misconfiguration | ||
| Malware, component | ||
| Ransomware |
- Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
- Procdump dumping LSASS credentials
- 7-ZIP used by attackers to prepare data for exfiltration
- Exchange PowerShell snap-in being loaded
- Powercat exploitation tool downloaded
- Exchange Server IIS dropping web shells and other artifacts
- Exchange vulnerability launching subprocesses through UMWorkerProcess
- Base64-encoded Nishang commands for loading reverse shell
Contributor: Microsoft 365 Defender team