From dbd2874b4fd9c7ea31c732cd8ff5c1742036b62c Mon Sep 17 00:00:00 2001 From: Justin Ibarra Date: Wed, 14 Apr 2021 23:24:44 -0500 Subject: [PATCH] [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files (#1026) * [Rule Tuning] Microsoft Exchange Server UM Writing Suspicious Files * revise note with information from microsoft * add Exchange Server to paths * replaced process.parent.name with process.name and C drive with ? Co-authored-by: Samirbous <64742097+Samirbous@users.noreply.github.com> --- ...l_access_suspicious_ms_exchange_files.toml | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/rules/windows/initial_access_suspicious_ms_exchange_files.toml b/rules/windows/initial_access_suspicious_ms_exchange_files.toml index 7c5d33a2d..3a450ad1c 100644 --- a/rules/windows/initial_access_suspicious_ms_exchange_files.toml +++ b/rules/windows/initial_access_suspicious_ms_exchange_files.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2021/03/04" maturity = "production" -updated_date = "2021/03/08" +updated_date = "2021/03/09" [rule] author = ["Elastic", "Austin Songer"] @@ -13,12 +13,25 @@ false_positives = [ """ Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact. """, + """ + This rule was tuned using the following baseline: + https://raw.githubusercontent.com/microsoft/CSS-Exchange/main/Security/Baselines/baseline_15.2.792.5.csv from + Microsoft. Depending on version, consult https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines to + help determine normalcy. + """, ] from = "now-9m" index = ["winlogbeat-*", "logs-endpoint.events.*", "logs-windows.*"] language = "eql" license = "Elastic License v2" name = "Microsoft Exchange Server UM Writing Suspicious Files" +note = """## Triage and analysis +Positive hits can be checked against the established Microsoft [baselines](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines). + +Microsoft highly recommends that the best course of action is patching, but this may not protect already compromised systems +from existing intrusions. Other tools for detecting and mitigating can be found within their Exchange support +[repository](https://github.com/microsoft/CSS-Exchange/tree/main/Security) +""" references = [ "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities", @@ -32,12 +45,18 @@ type = "eql" query = ''' file where event.type == "creation" and - process.parent.name : ("UMWorkerProcess.exe", "umservice.exe") and + process.name : ("UMWorkerProcess.exe", "umservice.exe") and file.extension : ("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and ( - file.path : ("C:\\inetpub\\wwwroot\\aspnet_client\\*", - "C:\\*\\FrontEnd\\HttpProxy\\owa\\auth\\*") or - (file.path : "C:\\*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and not file.name : "TimeoutLogoff.aspx") + file.path : "?:\\inetpub\\wwwroot\\aspnet_client\\*" or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\*" and + not (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\owa\\auth\\version\\*" or + file.name : ("errorFE.aspx", "expiredpassword.aspx", "frowny.aspx", "GetIdToken.htm", "logoff.aspx", + "logon.aspx", "OutlookCN.aspx", "RedirSuiteServiceProxy.aspx", "signout.aspx"))) or + + (file.path : "?:\\*\\Microsoft\\Exchange Server*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and + not file.name : "TimeoutLogoff.aspx") ) '''