← Back to Explore
elasticmediumTTP
Microsoft Exchange Server UM Writing Suspicious Files
Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.
Detection Query
file where host.os.type == "windows" and event.type == "creation" and
process.name : ("UMWorkerProcess.exe", "umservice.exe") and
file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
(
file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
(file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
"logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
(file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
not file.name : "TimeoutLogoff.aspx")
)
Author
Elastic, Austin Songer
Created
2021/03/04
Data Sources
Elastic EndgameElastic DefendSysmonMicrosoft Defender for EndpointSentinelOnewinlogbeat-*logs-endpoint.events.file-*logs-windows.sysmon_operational-*endgame-*logs-m365_defender.event-*logs-sentinel_one_cloud_funnel.*
References
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Initial AccessTactic: Lateral MovementData Source: Elastic EndgameUse Case: VulnerabilityData Source: Elastic DefendData Source: SysmonData Source: Microsoft Defender for EndpointData Source: SentinelOneResources: Investigation Guide
Raw Content
[metadata]
creation_date = "2021/03/04"
integration = ["endpoint", "windows", "m365_defender", "sentinel_one_cloud_funnel"]
maturity = "production"
updated_date = "2026/03/24"
[rule]
author = ["Elastic", "Austin Songer"]
description = """
Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity
has been observed exploiting CVE-2021-26858.
"""
false_positives = [
"""
Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.
""",
"""
This rule was tuned using the following baseline:
https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from
Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to
help determine normalcy.
""",
]
from = "now-9m"
index = [
"winlogbeat-*",
"logs-endpoint.events.file-*",
"logs-windows.sysmon_operational-*",
"endgame-*",
"logs-m365_defender.event-*",
"logs-sentinel_one_cloud_funnel.*",
]
language = "eql"
license = "Elastic License v2"
name = "Microsoft Exchange Server UM Writing Suspicious Files"
note = """## Triage and analysis
Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines).
Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems
from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support
[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
"""
references = [
"https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers",
"https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities",
]
risk_score = 47
rule_id = "6cd1779c-560f-4b68-a8f1-11009b27fe63"
severity = "medium"
tags = [
"Domain: Endpoint",
"OS: Windows",
"Use Case: Threat Detection",
"Tactic: Initial Access",
"Tactic: Lateral Movement",
"Data Source: Elastic Endgame",
"Use Case: Vulnerability",
"Data Source: Elastic Defend",
"Data Source: Sysmon",
"Data Source: Microsoft Defender for Endpoint",
"Data Source: SentinelOne",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
file where host.os.type == "windows" and event.type == "creation" and
process.name : ("UMWorkerProcess.exe", "umservice.exe") and
file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and
(
file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or
(file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and
not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or
file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx",
"logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or
(file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and
not file.name : "TimeoutLogoff.aspx")
)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1190"
name = "Exploit Public-Facing Application"
reference = "https://attack.mitre.org/techniques/T1190/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1210"
name = "Exploitation of Remote Services"
reference = "https://attack.mitre.org/techniques/T1210/"
[rule.threat.tactic]
id = "TA0008"
name = "Lateral Movement"
reference = "https://attack.mitre.org/tactics/TA0008/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"
[[rule.threat.technique.subtechnique]]
id = "T1505.003"
name = "Web Shell"
reference = "https://attack.mitre.org/techniques/T1505/003/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"