Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Silk Typhoon New UM Service Child Process

Back
Id95a15f39-d9cc-4667-8cdd-58f3113691c9
RulenameSilk Typhoon New UM Service Child Process
DescriptionThis query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.

Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml
Version1.1.5
Arm template95a15f39-d9cc-4667-8cdd-58f3113691c9.json
Deploy To Azure
let lookback = 14d;
let timeframe = 1d;
(union isfuzzy=true
(SecurityEvent
| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
| where EventID == 4688
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| join kind=rightanti (
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| where EventID == 4688) on NewProcessName
),
(WindowsEvent
| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
| where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend IpAddress = tostring(EventData.IpAddress)
| join kind=rightanti (
WindowsEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)
| project-away DomainIndex
))  
kind: Scheduled
relevantTechniques:
- T1190
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Threat Intelligence
  source:
    kind: Community
description: |
  'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'  
queryPeriod: 14d
queryFrequency: 1d
tactics:
- InitialAccess
name: Silk Typhoon New UM Service Child Process
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: SubjectAccount
  - identifier: Name
    columnName: SubjectUserName
  - identifier: NTDomain
    columnName: SubjectDomainName
- entityType: Host
  fieldMappings:
  - identifier: FullName
    columnName: Computer
  - identifier: HostName
    columnName: HostName
  - identifier: NTDomain
    columnName: HostNameDomain
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IpAddress
triggerThreshold: 0
version: 1.1.5
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
query: |
  let lookback = 14d;
  let timeframe = 1d;
  (union isfuzzy=true
  (SecurityEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | join kind=rightanti (
  SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | where EventID == 4688) on NewProcessName
  ),
  (WindowsEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)
  | join kind=rightanti (
  WindowsEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)
  | project-away DomainIndex
  ))    
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95a15f39-d9cc-4667-8cdd-58f3113691c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95a15f39-d9cc-4667-8cdd-58f3113691c9')]",
      "properties": {
        "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9",
        "customDetails": null,
        "description": "'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'\n",
        "displayName": "Silk Typhoon New UM Service Child Process",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "SubjectUserName",
                "identifier": "Name"
              },
              {
                "columnName": "SubjectDomainName",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml",
        "query": "let lookback = 14d;\nlet timeframe = 1d;\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n),\n(WindowsEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688 and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend IpAddress = tostring(EventData.IpAddress)\n| join kind=rightanti (\nWindowsEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4688  and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\n| project-away DomainIndex\n))  \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.1.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}