The rule detects potential adversary use of the worker process to execute unusual subprocesses that deviate from normal system behavior. SOC teams should proactively hunt for this activity in Azure Sentinel to identify and mitigate potential lateral movement or persistence tactics.
KQL Query
DeviceProcessEvents
| where InitiatingProcessFileName == "UMWorkerProcess.exe"
| where FileName !in~("wermgr.exe", "WerFault.exe")
id: 13355269-f755-4b81-8a72-e80c3f4a8016
name: umworkerprocess-unusual-subprocess-activity
description: |
This query was originally published in the threat analytics report, "Exchange Server zero-days exploited in the wild".
In early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft Exchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the vulnerabilities, visit the following links:
1. CVE-2021-26855
2. CVE-2021-26857
3. CVE-2021-26858
4. CVE-2021-27065
The following query surfaces when unusual subprocesses were launched by MWorkerProcess, the Exchange Unified Messaging service. This might indicate exploitation of CVE-2021-26857 to run arbitrary code.
More queries related to this threat can be found under the See also section of this page.
Reference - https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
tactics:
- Execution
- Exploit
query: |
DeviceProcessEvents
| where InitiatingProcessFileName == "UMWorkerProcess.exe"
| where FileName !in~("wermgr.exe", "WerFault.exe")
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
Scenario: A system administrator is using Task Scheduler to run a legitimate maintenance script that spawns a subprocess.
Filter/Exclusion: Exclude processes initiated by schtasks.exe or with a command line containing schtasks /run.
Scenario: A developer is using Visual Studio to debug an application, which spawns a subprocess for debugging purposes.
Filter/Exclusion: Exclude processes with the parent process devenv.exe or with command lines containing --debug or --attach.
Scenario: A database administrator is using SQL Server Management Studio (SSMS) to execute a batch job that spawns a subprocess for data import.
Filter/Exclusion: Exclude processes with the parent process ssms.exe or with command lines containing bcp or sqlcmd.
Scenario: A system update is being performed via Windows Update which temporarily spawns subprocesses during installation.
Filter/Exclusion: Exclude processes with the parent process wuauserv or with command lines containing wuauclt.exe or WindowsUpdate.exe.
Scenario: A DevOps engineer is using PowerShell to run a scheduled job that spawns a subprocess for log rotation or backup.
Filter/Exclusion: Exclude processes with the parent process powershell.exe and command lines containing Start-Job or Invoke-Command with known legitimate scripts.