Exchange vulnerability launching subprocesses through UMWorkerProcess

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:

• CVE-2021-26855
• CVE-2021-26857
• CVE-2021-26858
• CVE-2021-27065

The following query surfaces when unusual subprocesses were launched by MWorkerProcess, the Exchange Unified Messaging service. This might indicate exploitation of CVE-2021-26857 to run arbitrary code.

More queries related to this threat can be found under the See also section of this page.

Query

DeviceProcessEvents
| where InitiatingProcessFileName == "UMWorkerProcess.exe"
| where FileName !in~("wermgr.exe", "WerFault.exe")

Category

This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.

See also

• Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
• Procdump dumping LSASS credentials
• 7-ZIP used by attackers to prepare data for exfiltration
• Exchange PowerShell snap-in being loaded
• Powercat exploitation tool downloaded
• Exchange vulnerability creating web shells via UMWorkerProcess
• Exchange Server IIS dropping web shells and other artifacts
• Base64-encoded Nishang commands for loading reverse shell

Contributor info

Contributor: Microsoft 365 Defender team