Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Silk Typhoon Suspicious UM Service Error

Silk Typhoon Suspicious UM Service Error

Back
Id0625fcce-6d52-491e-8c68-1d9b801d25b9
RulenameSilk Typhoon Suspicious UM Service Error
DescriptionThis query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service.

Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SeverityLow
TacticsInitialAccess
TechniquesT1190
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml
Version1.0.4
Arm template0625fcce-6d52-491e-8c68-1d9b801d25b9.json
Deploy To Azure
Event
| where EventLog =~ "Application"
| where Source startswith "MSExchange"
| where EventLevelName =~ "error"
| where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" or RenderedDescription contains "MSExchange Unified Messaging"
| where RenderedDescription !contains "System.OutOfMemoryException"
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| project-away DomainIndex

description: |
  'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. 
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'  
version: 1.0.4
queryFrequency: 1d
triggerThreshold: 0
tactics:
- InitialAccess
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonSuspiciousUMServiceError.yaml
query: |
  Event
  | where EventLog =~ "Application"
  | where Source startswith "MSExchange"
  | where EventLevelName =~ "error"
  | where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service" or RenderedDescription contains "MSExchange Unified Messaging"
  | where RenderedDescription !contains "System.OutOfMemoryException"
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | project-away DomainIndex  
id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
name: Silk Typhoon Suspicious UM Service Error
triggerOperator: gt
severity: Low
metadata:
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Intelligence
  support:
    tier: Community
  source:
    kind: Community
kind: Scheduled
entityMappings:
- fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
  entityType: Host
relevantTechniques:
- T1190
requiredDataConnectors: []