Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Exchange Worker Process Making Remote Call

Back
Id2c701f94-783c-4cd4-bc9b-3b3334976090
RulenameExchange Worker Process Making Remote Call
DescriptionThis query dynamically identifies Exchange servers and then looks for instances where the IIS worker process

initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as

post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was

use to download additional tools to the server. This suspicious activity is generic.
SeverityMedium
TacticsExecution
TechniquesT1059.001
T1059.003
Required data connectorsAzureMonitor(IIS)
MicrosoftThreatProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
Version1.0.1
Arm template2c701f94-783c-4cd4-bc9b-3b3334976090.json
Deploy To Azure
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine
triggerOperator: gt
version: 1.0.1
query: |
  let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
  // Identify exchange servers based on known paths
  // Summarize these to get a list of exchange server hostnames
  let exchangeServers = W3CIISLog
  | where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
  // Only where successful, rule out failed scanning
  | where scStatus startswith "2"
  | summarize by Computer;
  DeviceProcessEvents
  | where DeviceName in~ (exchangeServers)
  // Where the IIS worker process initiated CMD or PowerShell
  | where InitiatingProcessParentFileName == "w3wp.exe"
  | where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
  // Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
  | where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
  | project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine  
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DeviceName
    identifier: FullName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml
queryFrequency: 1d
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
  dataTypes:
  - W3CIISLog
- connectorId: MicrosoftThreatProtection
  dataTypes:
  - DeviceProcessEvents
metadata:
  source:
    kind: Community
  author:
    name: petebryan
  categories:
    domains:
    - Application
  support:
    tier: Community
name: Exchange Worker Process Making Remote Call
queryPeriod: 1d
severity: Medium
kind: Scheduled
tactics:
- Execution
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
description: |
  'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process
  initiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as
  post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was
  use to download additional tools to the server. This suspicious activity is generic.'  
relevantTechniques:
- T1059.001
- T1059.003
triggerThreshold: 0
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2c701f94-783c-4cd4-bc9b-3b3334976090')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "Exchange Worker Process Making Remote Call",
        "description": "'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process\ninitiates a call out to a remote URL using either cmd.exe or powershell.exe. This behaviour was described as\npost-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was\nuse to download additional tools to the server. This suspicious activity is generic.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let suspiciousCmdLineKeywords = dynamic([\"http://\", \"https://\"]);\n// Identify exchange servers based on known paths\n// Summarize these to get a list of exchange server hostnames\nlet exchangeServers = W3CIISLog\n| where csUriStem has_any(\"/owa/\",\"/ews/\",\"/ecp/\",\"/autodiscover/\")\n// Only where successful, rule out failed scanning\n| where scStatus startswith \"2\"\n| summarize by Computer;\nDeviceProcessEvents\n| where DeviceName in~ (exchangeServers)\n// Where the IIS worker process initiated CMD or PowerShell\n| where InitiatingProcessParentFileName == \"w3wp.exe\"\n| where InitiatingProcessFileName has_any(\"cmd.exe\", \"powershell.exe\")\n// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation\n| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)\n| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1059.001",
          "T1059.003"
        ],
        "alertRuleTemplateName": "2c701f94-783c-4cd4-bc9b-3b3334976090",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "DeviceName",
                "identifier": "FullName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/ExchangeWorkerProcessMakingRemoteCall.yaml",
        "templateVersion": "1.0.1"
      }
    }
  ]
}