Exchange Worker Process Making Remote Call detects potential command and control activity where the IIS worker process is used to execute remote commands via cmd.exe or PowerShell, indicating possible compromise of Exchange servers. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate early-stage adversary access and exfiltration attempts.
KQL Query
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend Account = strcat(AccountDomain, "\\", AccountName)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
id: 2c701f94-783c-4cd4-bc9b-3b3334976090
name: Exchange Worker Process Making Remote Call
description: |
'This query dynamically identifies Exchange servers and then looks for instances where the IIS worker process initiates a call out to a remote URL using either cmd.exe or powershell.exe.
This behaviour was described as post-compromise behaviour following exploitation of CVE-2022-41040 and CVE-2022-41082, this pattern of activity was use to download additional tools to the server. This suspicious activity is generic.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureMonitor(IIS)
dataTypes:
- W3CIISLog
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceProcessEvents
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Execution
relevantTechniques:
- T1059.001
- T1059.003
query: |
let suspiciousCmdLineKeywords = dynamic(["http://", "https://"]);
// Identify exchange servers based on known paths
// Summarize these to get a list of exchange server hostnames
let exchangeServers = W3CIISLog
| where csUriStem has_any("/owa/","/ews/","/ecp/","/autodiscover/")
// Only where successful, rule out failed scanning
| where scStatus startswith "2"
| summarize by Computer;
DeviceProcessEvents
| where DeviceName in~ (exchangeServers)
// Where the IIS worker process initiated CMD or PowerShell
| where InitiatingProcessParentFileName == "w3wp.exe"
| where InitiatingProcessFileName has_any("cmd.exe", "powershell.exe")
// Where CMD or PowerShell command line included parameters associated with CVE-2022-41040/CVE-2022-41082 exploitation
| where ProcessCommandLine has_any(suspiciousCmdLineKeywords)
| project TimeGenerated, DeviceId, DeviceName, InitiatingProcessFileName, ProcessCommandLine, AccountDomain = InitiatingProcessAccountDomain, AccountName = InitiatingProcessAccountName
| extend Account = strcat(AccountDomain, "\\", AccountName)
| extend HostName = tostring(split(DeviceName, ".")[0]), DomainIndex = toint(indexof(DeviceName, '.'))
| extend HostNameDomain = iff(DomainIndex != -1, substring(DeviceName, DomainIndex + 1), DeviceName)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Account
- identifier: Name
columnName: AccountName
- identifier: NTDomain
columnName: AccountDomain
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: DeviceName
- identifier: HostName
columnName: HostName
- identifier: NTDomain
columnName: HostNameDomain
version: 1.1.2
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Community
support:
tier: Community
categories:
domains: [ "Application" ]
| Sentinel Table | Notes |
|---|---|
DeviceProcessEvents | Ensure this data connector is enabled |
W3CIISLog | Ensure this data connector is enabled |
Scenario: Scheduled Maintenance Task Using PowerShell
Description: A scheduled task runs a PowerShell script to perform routine maintenance on Exchange databases.
Filter/Exclusion: ProcessName != "powershell.exe" OR CommandLine NOT LIKE '%Exchange%'
Scenario: Remote Management via PowerShell for Configuration Updates
Description: An admin uses PowerShell Remoting to apply configuration updates to Exchange servers from a central management workstation.
Filter/Exclusion: SourceComputerName != "ManagementServerHostname" OR ProcessName != "powershell.exe"
Scenario: Exchange Hybrid Configuration Sync Using PowerShell
Description: A PowerShell script is used to synchronize hybrid Exchange environments, which may involve remote calls to Azure or other cloud services.
Filter/Exclusion: CommandLine LIKE '%HybridConfiguration%' OR CommandLine LIKE '%Azure%'
Scenario: IIS Worker Process Performing Legitimate Outbound API Calls
Description: The IIS worker process (w3wp.exe) makes outbound calls to a third-party service for email analytics or monitoring.
Filter/Exclusion: ProcessName != "w3wp.exe" OR CommandLine NOT LIKE '%api.example.com%'
Scenario: Exchange Server Performing DNS Resolution via PowerShell
Description: A PowerShell script is used to resolve DNS entries for Exchange-related services, which may involve outbound calls to DNS servers.
Filter/Exclusion: CommandLine LIKE '%Resolve-DnsName%' OR CommandLine LIKE '%DNS%'