Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Exchange Worker Process Making Remote Call

Exchange Worker Process Making Remote Call

Back
Id2c701f94-783c-4cd4-bc9b-3b3334976090
RulenameExchange Worker Process Making Remote Call
DescriptionThis query dynamically identifies Exchange servers and then looks for instances where the IIS worker process

initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as

post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was

use to download additional tools to the server. This suspicious activity is generic.
SeverityMedium
TacticsExecution
TechniquesT1059.001
T1059.003
Required data connectorsAzureMonitor(IIS)
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
Version1.1.1
Arm template2c701f94-783c-4cd4-bc9b-3b3334976090.json
Deploy To Azure
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend Account = strcat(AccountDomain, "\\", AccountName)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)

name: Exchange Worker Process Making Remote Call
description: |
  'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process
  initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as
  post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was
  use to download additional tools to the server. This suspicious activity is generic.'  
tactics:
- Execution
requiredDataConnectors:
- dataTypes:
  - W3CIISLog
  connectorId: AzureMonitor(IIS)
- dataTypes:
  - DeviceProcessEvents
  connectorId: MicrosoftThreatProtection
queryPeriod: 1d
queryFrequency: 1d
triggerThreshold: 0
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
triggerOperator: gt
version: 1.1.1
query: |
  let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
  // Identify exchange servers based on known paths
  // Summarize these to get a list of exchange server hostnames
  let exchangeServers = W3CIISLog
  | where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
  // Only where successful, rule out failed scanning
  | where scStatus startswith "2"
  | summarize by Computer;
  DeviceProcessEvents
  | where DeviceName in~ (exchangeServers)
  // Where the IIS worker process initiated CMD or PowerShell
  | where InitiatingProcessParentFileName == "w3wp.exe"
  | where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
  // Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
  | where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
  | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
  | extend Account = strcat(AccountDomain, "\\", AccountName)
  | extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)  
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Community
  source:
    kind: Community
  categories:
    domains:
    - Application
severity: Medium
kind: Scheduled
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Account
  - identifier: Name
    columnName: AccountName
  - identifier: NTDomain
    columnName: AccountDomain
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: DeviceName
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
relevantTechniques:
- T1059.001
- T1059.003
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "properties": {
        "alertRuleTemplateName": "2c701f94-783c-4cd4-bc9b-3b3334976090",
        "customDetails": null,
        "description": "'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process\ninitiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as\npost-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was\nuse to download additional tools to the server. This suspicious activity is generic.'\n",
        "displayName": "Exchange Worker Process Making Remote Call",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "Account",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml",
        "query": "let suspiciousCmdLineKeywords = dynamic([\"http://\", \"https://\"]);\n// Identify exchange servers based on known paths\n// Summarize these to get a list of exchange server hostnames\nlet exchangeServers = W3CIISLog\n| where csUriStem has_any(\"/owa/\",\"/ews/\",\"/ecp/\",\"/autodiscover/\")\n// Only where successful, rule out failed scanning\n| where scStatus startswith \"2\"\n| summarize by Computer;\nDeviceProcessEvents\n| where DeviceName in~ (exchangeServers)\n// Where the IIS worker process initiated CMD or PowerShell\n| where InitiatingProcessParentFileName == \"w3wp.exe\"\n| where InitiatingProcessFileName has_any(\"cmd.exe\", \"powershell.exe\")\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName\n| extend Account = strcat(AccountDomain, \"\\\\\", AccountName)\n| extend HostName = tostring(split(DeviceName, \".\")[0]), DomainIndex = toint(indexof(DeviceName, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059"
        ],
        "templateVersion": "1.1.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}