Skip to content
This repository has been archived by the owner on Feb 17, 2022. It is now read-only.
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time

Exchange vulnerability launching subprocesses through UMWorkerProcess

This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".

In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:

The following query surfaces when unusual subprocesses were launched by MWorkerProcess, the Exchange Unified Messaging service. This might indicate exploitation of CVE-2021-26857 to run arbitrary code.

More queries related to this threat can be found under the See also section of this page.


| where InitiatingProcessFileName == "UMWorkerProcess.exe"
| where FileName !in~("wermgr.exe", "WerFault.exe")


This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.

Technique, tactic, or state Covered? (v=yes) Notes
Initial access
Execution v An unusually large number of events launching wermgr.exe and WerFault.exe can also indicate a compromise due to the server crashing during deserialization.
Privilege escalation
Defense evasion
Credential Access
Lateral movement
Command and control
Exploit v
Malware, component

See also

Contributor info

Contributor: Microsoft 365 Defender team