Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Exchange Worker Process Making Remote Call

Exchange Worker Process Making Remote Call

Back
Id2c701f94-783c-4cd4-bc9b-3b3334976090
RulenameExchange Worker Process Making Remote Call
DescriptionThis query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.

This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.
SeverityMedium
TacticsExecution
TechniquesT1059.001
T1059.003
Required data connectorsAzureMonitor(IIS)
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
Version1.1.2
Arm template2c701f94-783c-4cd4-bc9b-3b3334976090.json
Deploy To Azure
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend Account = strcat(AccountDomain, "\\", AccountName)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

severity: Medium
relevantTechniques:
- T1059.001
- T1059.003
queryFrequency: 1d
kind: Scheduled
version: 1.1.2
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Application
  author:
    name: Microsoft Security Community
  source:
    kind: Community
triggerOperator: gt
description: |
  'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.
  This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.'  
queryPeriod: 1d
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: Account
    identifier: FullName
  - columnName: AccountName
    identifier: Name
  - columnName: AccountDomain
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
tactics:
- Execution
name: Exchange Worker Process Making Remote Call
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
query: |
  let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
  // Identify exchange servers based on known paths
  // Summarize these to get a list of exchange server hostnames
  let exchangeServers = W3CIISLog
  | where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
  // Only where successful, rule out failed scanning
  | where scStatus startswith "2"
  | summarize by Computer;
  DeviceProcessEvents
  | where DeviceName in~ (exchangeServers)
  // Where the IIS worker process initiated CMD or PowerShell
  | where InitiatingProcessParentFileName == "w3wp.exe"
  | where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
  // Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
  | where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
  | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
  | extend Account = strcat(AccountDomain, "\\", AccountName)
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
requiredDataConnectors:
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "properties": {
        "alertRuleTemplateName": "2c701f94-783c-4cd4-bc9b-3b3334976090",
        "customDetails": null,
        "description": "'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.\nThis behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.'\n",
        "displayName": "Exchange Worker Process Making Remote Call",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml",
        "query": "let suspiciousCmdLineKeywords = dynamic([\"http://\", \"https://\"]);\n// Identify exchange servers based on known paths\n// Summarize these to get a list of exchange server hostnames\nlet exchangeServers = W3CIISLog\n| where csUriStem has_any(\"/owa/\",\"/ews/\",\"/ecp/\",\"/autodiscover/\")\n// Only where successful, rule out failed scanning\n| where scStatus startswith \"2\"\n| summarize by Computer;\nDeviceProcessEvents\n| where DeviceName in~ (exchangeServers)\n// Where the IIS worker process initiated CMD or PowerShell\n| where InitiatingProcessParentFileName == \"w3wp.exe\"\n| where InitiatingProcessFileName has_any(\"cmd.exe\", \"powershell.exe\")\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\n| extend Account = strcat(AccountDomain, \"\\\\\", AccountName)\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.1.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}