Detection rules › Kusto Query Language
Silk Typhoon New UM Service Child Process
'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1190 Exploit Public-Facing Application |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4688 | A new process has been created. |
Stages and Predicates
Stage 1: source
<union>
Stage 2: union
union of 2 branches