Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Silk Typhoon New UM Service Child Process

Back
Id95a15f39-d9cc-4667-8cdd-58f3113691c9
RulenameSilk Typhoon New UM Service Child Process
DescriptionThis query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before.

Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
SeverityMedium
TacticsInitialAccess
TechniquesT1190
Required data connectorsSecurityEvents
WindowsForwardedEvents
WindowsSecurityEvents
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml
Version1.1.5
Arm template95a15f39-d9cc-4667-8cdd-58f3113691c9.json
Deploy To Azure
let lookback = 14d;
let timeframe = 1d;
(union isfuzzy=true
(SecurityEvent
| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
| where EventID == 4688
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| join kind=rightanti (
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| where EventID == 4688) on NewProcessName
),
(WindowsEvent
| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
| where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend IpAddress = tostring(EventData.IpAddress)
| join kind=rightanti (
WindowsEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName
| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)
| project-away DomainIndex
))  
queryPeriod: 14d
queryFrequency: 1d
name: Silk Typhoon New UM Service Child Process
id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: SubjectAccount
    identifier: FullName
  - columnName: SubjectUserName
    identifier: Name
  - columnName: SubjectDomainName
    identifier: NTDomain
- entityType: Host
  fieldMappings:
  - columnName: Computer
    identifier: FullName
  - columnName: HostName
    identifier: HostName
  - columnName: HostNameDomain
    identifier: NTDomain
- entityType: IP
  fieldMappings:
  - columnName: IpAddress
    identifier: Address
query: |
  let lookback = 14d;
  let timeframe = 1d;
  (union isfuzzy=true
  (SecurityEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | join kind=rightanti (
  SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | where EventID == 4688) on NewProcessName
  ),
  (WindowsEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)
  | join kind=rightanti (
  WindowsEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)
  | project-away DomainIndex
  ))    
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml
requiredDataConnectors:
- connectorId: SecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvent
- connectorId: WindowsSecurityEvents
  dataTypes:
  - SecurityEvents
- connectorId: WindowsForwardedEvents
  dataTypes:
  - WindowsEvent
relevantTechniques:
- T1190
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Intelligence
  source:
    kind: Community
  author:
    name: Microsoft Security Research
description: |
  'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'  
tactics:
- InitialAccess
severity: Medium
triggerThreshold: 0
version: 1.1.5
kind: Scheduled
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95a15f39-d9cc-4667-8cdd-58f3113691c9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95a15f39-d9cc-4667-8cdd-58f3113691c9')]",
      "properties": {
        "alertRuleTemplateName": "95a15f39-d9cc-4667-8cdd-58f3113691c9",
        "customDetails": null,
        "description": "'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. \nReference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'\n",
        "displayName": "Silk Typhoon New UM Service Child Process",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "SubjectAccount",
                "identifier": "FullName"
              },
              {
                "columnName": "SubjectUserName",
                "identifier": "Name"
              },
              {
                "columnName": "SubjectDomainName",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "Computer",
                "identifier": "FullName"
              },
              {
                "columnName": "HostName",
                "identifier": "HostName"
              },
              {
                "columnName": "HostNameDomain",
                "identifier": "NTDomain"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SilkTyphoonNewUMServiceChildProcess.yaml",
        "query": "let lookback = 14d;\nlet timeframe = 1d;\n(union isfuzzy=true\n(SecurityEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| join kind=rightanti (\nSecurityEvent\n| where TimeGenerated > ago(timeframe)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| where EventID == 4688) on NewProcessName\n),\n(WindowsEvent\n| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)\n| where EventID == 4688 and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend IpAddress = tostring(EventData.IpAddress)\n| join kind=rightanti (\nWindowsEvent\n| where TimeGenerated > ago(timeframe)\n| where EventID == 4688  and EventData has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend ParentProcessName = tostring(EventData.ParentProcessName)\n| where ParentProcessName has_any (\"umworkerprocess.exe\", \"UMService.exe\")\n| extend NewProcessName = tostring(EventData.NewProcessName)\n| extend Account = strcat(tostring(EventData.SubjectDomainName),\"\\\\\", tostring(EventData.SubjectUserName))\n| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName\n| extend HostName = tostring(split(Computer, \".\")[0]), DomainIndex = toint(indexof(Computer, '.'))\n| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)\n| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)\n| project-away DomainIndex\n))  \n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1190"
        ],
        "templateVersion": "1.1.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}