Exchange vulnerability creating web shells via UMWorkerProcess
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
The following query detects unusual file content being created by UMWorkerProcess, the Exchange Unified Messaging service. This might indicated that CVE-2021-26858 is being exploited to generate a web shell.
More queries related to this threat can be found under the See also section of this page.
DeviceFileEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName !in~("CacheCleanup.bin", "cleanup.bin") | where FileName !endswith ".txt" | where FileName !endswith ".LOG" | where FileName !endswith ".cfg"
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
|Technique, tactic, or state||Covered? (v=yes)||Notes|
|Command and control|
- Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
- Procdump dumping LSASS credentials
- 7-ZIP used by attackers to prepare data for exfiltration
- Exchange PowerShell snap-in being loaded
- Powercat exploitation tool downloaded
- Exchange Server IIS dropping web shells and other artifacts
- Exchange vulnerability launching subprocesses through UMWorkerProcess
- Base64-encoded Nishang commands for loading reverse shell
Contributor: Microsoft 365 Defender team