Exchange Worker Process Making Remote Call
Id | 2c701f94-783c-4cd4-bc9b-3b3334976090 |
Rulename | Exchange Worker Process Making Remote Call |
Description | This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic. |
Severity | Medium |
Tactics | Execution |
Techniques | T1059.001 T1059.003 |
Required data connectors | AzureMonitor(IIS) MicrosoftThreatProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml |
Version | 1.0.1 |
Arm template | 2c701f94-783c-4cd4-bc9b-3b3334976090.json |
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine
triggerOperator: gt
version: 1.0.1
query: |
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine
entityMappings:
- entityType: Host
fieldMappings:
- columnName: DeviceName
identifier: FullName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
metadata:
source:
kind: Community
author:
name: petebryan
categories:
domains:
- Application
support:
tier: Community
name: Exchange Worker Process Making Remote Call
queryPeriod: 1d
severity: Medium
kind: Scheduled
tactics:
- Execution
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
description: |
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process
initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as
post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was
use to download additional tools to the server. This suspicious activity is generic.'
relevantTechniques:
- T1059.001
- T1059.003
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Exchange Worker Process Making Remote Call",
"description": "'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process\ninitiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as\npost-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was\nuse to download additional tools to the server. This suspicious activity is generic.'\n",
"severity": "Medium",
"enabled": true,
"query": "let suspiciousCmdLineKeywords = dynamic([\"http://\", \"https://\"]);\n// Identify exchange servers based on known paths\n// Summarize these to get a list of exchange server hostnames\nlet exchangeServers = W3CIISLog\n| where csUriStem has_any(\"/owa/\",\"/ews/\",\"/ecp/\",\"/autodiscover/\")\n// Only where successful, rule out failed scanning\n| where scStatus startswith \"2\"\n| summarize by Computer;\nDeviceProcessEvents\n| where DeviceName in~ (exchangeServers)\n// Where the IIS worker process initiated CMD or PowerShell\n| where InitiatingProcessParentFileName == \"w3wp.exe\"\n| where InitiatingProcessFileName has_any(\"cmd.exe\", \"powershell.exe\")\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"techniques": [
"T1059.001",
"T1059.003"
],
"alertRuleTemplateName": "2c701f94-783c-4cd4-bc9b-3b3334976090",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"columnName": "DeviceName",
"identifier": "FullName"
}
],
"entityType": "Host"
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml",
"templateVersion": "1.0.1"
}
}
]
}