Detection rules › Kusto

Silk Typhoon New UM Service Child Process

Severity
medium
Time window
14d
Author
Microsoft Security Research
Source
github.com/Azure/Azure-Sentinel

This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

MITRE ATT&CK coverage

TacticTechniques
Initial AccessT1190 Exploit Public-Facing Application

Event coverage

Rule body kusto

id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
name: Silk Typhoon New UM Service Child Process
description: |
  'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 
  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
severity: Medium
requiredDataConnectors:
  - connectorId: SecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes:
      - SecurityEvent
  - connectorId: WindowsSecurityEvents
    dataTypes: 
      - SecurityEvents 
  - connectorId: WindowsForwardedEvents
    dataTypes: 
      - WindowsEvent 
queryFrequency: 1d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess
relevantTechniques:
  - T1190
query: |
  let lookback = 14d;
  let timeframe = 1d;
  (union isfuzzy=true
  (SecurityEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | join kind=rightanti (
  SecurityEvent
  | where TimeGenerated > ago(timeframe)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | where EventID == 4688) on NewProcessName
  ),
  (WindowsEvent
  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
  | where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)
  | join kind=rightanti (
  WindowsEvent
  | where TimeGenerated > ago(timeframe)
  | where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
  | extend ParentProcessName = tostring(EventData.ParentProcessName)
  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
  | extend NewProcessName = tostring(EventData.NewProcessName)
  | extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
  | extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName
  | extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))
  | extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)
  | extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)
  | project-away DomainIndex
  ))  
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: SubjectAccount
      - identifier: Name
        columnName: SubjectUserName
      - identifier: NTDomain
        columnName: SubjectDomainName
  - entityType: Host
    fieldMappings:
      - identifier: FullName
        columnName: Computer
      - identifier: HostName
        columnName: HostName
      - identifier: NTDomain
        columnName: HostNameDomain
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IpAddress
version: 1.1.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Microsoft Security Research
    support:
        tier: Community
    categories:
        domains: [ "Security - Threat Intelligence" ]

Stages and Predicates

Stage 0: let

let lookback = 14d;
let timeframe = 1d;

Stage 1: union

union isfuzzy=true

Stage 2: source

SecurityEvent

Stage 3: where time_window=1209600s

| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)

Stage 4: where

| where EventID == 4688

Stage 5: where

| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")

Stage 6: join

| join kind=rightanti (
SecurityEvent
| where TimeGenerated > ago(timeframe)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| where EventID == 4688) on NewProcessName

Stage 7: source

WindowsEvent

Stage 8: where time_window=1209600s

| where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)

Stage 9: where

| where EventID == 4688 and EventData has_any ("umworkerprocess.exe", "UMService.exe")

Stage 10: extend

| extend ParentProcessName = tostring(EventData.ParentProcessName)

Stage 11: where

| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")

Stage 12: extend

| extend NewProcessName = tostring(EventData.NewProcessName)

Stage 13: extend

| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))

Stage 14: extend

| extend IpAddress = tostring(EventData.IpAddress)

Stage 15: join

| join kind=rightanti (
WindowsEvent
| where TimeGenerated > ago(timeframe)
| where EventID == 4688  and EventData has_any ("umworkerprocess.exe", "UMService.exe")
| extend ParentProcessName = tostring(EventData.ParentProcessName)
| where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
| extend NewProcessName = tostring(EventData.NewProcessName)
| extend Account = strcat(tostring(EventData.SubjectDomainName),"\\", tostring(EventData.SubjectUserName))
| extend IpAddress = tostring(EventData.IpAddress)) on NewProcessName

Stage 16: extend

| extend HostName = tostring(split(Computer, ".")[0]), DomainIndex = toint(indexof(Computer, '.'))

Stage 17: extend

| extend HostNameDomain = iff(DomainIndex != -1, substring(Computer, DomainIndex + 1), Computer)

Stage 18: extend

| extend SubjectUserName = tostring(EventData.SubjectUserName), SubjectDomainName = tostring(EventData.SubjectDomainName)

Stage 19: project-away

| project-away DomainIndex

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventDatamatch
  • UMService.exe
  • umworkerprocess.exe
EventIDeq
  • 4688 transforms: cased corpus 312 (splunk 283, kusto 29)
ParentProcessNamematch
  • UMService.exe
  • umworkerprocess.exe

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

FieldSource
ParentProcessNameextend
NewProcessNameextend
Accountextend
IpAddressextend
HostNameextend
HostNameDomainextend
SubjectDomainNameextend
SubjectUserNameextend