Exchange vulnerability launching subprocesses through UMWorkerProcess
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
The following query surfaces when unusual subprocesses were launched by MWorkerProcess, the Exchange Unified Messaging service. This might indicate exploitation of CVE-2021-26857 to run arbitrary code.
More queries related to this threat can be found under the See also section of this page.
DeviceProcessEvents | where InitiatingProcessFileName == "UMWorkerProcess.exe" | where FileName !in~("wermgr.exe", "WerFault.exe")
This query can be used to detect the following attack techniques and tactics (see MITRE ATT&CK framework) or security configuration states.
|Technique, tactic, or state||Covered? (v=yes)||Notes|
|Execution||v||An unusually large number of events launching wermgr.exe and WerFault.exe can also indicate a compromise due to the server crashing during deserialization.|
|Command and control|
- Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique
- Procdump dumping LSASS credentials
- 7-ZIP used by attackers to prepare data for exfiltration
- Exchange PowerShell snap-in being loaded
- Powercat exploitation tool downloaded
- Exchange vulnerability creating web shells via UMWorkerProcess
- Exchange Server IIS dropping web shells and other artifacts
- Base64-encoded Nishang commands for loading reverse shell
Contributor: Microsoft 365 Defender team