Share this page!

Red Canary Profile picture
Twitter logo
5 Mar, 7 tweets, 3 min read
We’ve detected suspicious activity in multiple environments today, and, while we haven’t yet observed a payload, we’re concerned the activity may be the result of Exchange Server compromise. 1/7 #RCintel Image
What we’re observing is consistent with DLTminer precursor activity uncovered by @vmw_carbonblack in 2019, specifically its use of scheduled tasks to execute PowerShell and make external network connections. carbonblack.com/blog/cb-tau-te… 2/7 Image
Prior to the Scheduled Task and PowerShell activity, we’re seeing the adversary leverage the IIS Worker process (w3wp.exe) to spawn the Command Processor in a manner that’s consistent with web shell activity. 3/7 Image
This is noteworthy because we believe the adversary may be exploiting Exchange Server vulnerabilities. Luckily there are at least two detection opportunities here that should be useful for detecting certain web shells and post-exploitation activity. 4/7
Detection opportunity #1: Monitor for a chain of process executions from a Windows IIS worker process (`w3wp.exe`) that spawns a process that appears to be the command processor (`cmd`), which, in turn, launches PowerShell (`powershell.exe` or `pwsh.exe`) 5/7
Detection opportunity # 2: Look out for a process that appears to be `schtask.exe` executing in conjunction with a command line that includes the following parameters: `create` and `powershell` 6/7
These detections suggest an Exchange Server compromise, which is timely considering the Exchange vulnerabilities patched this week. This activity serves as a reminder to patch your Exchange servers ASAP and to practice defense in depth with broad behavioral analytics. 7/7

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Red Canary

Red Canary Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @redcanary

Red Canary Profile picture
6 Mar
We sat down with @likethecoins, director of intelligence at Red Canary, to chat about the Microsoft Exchange activity happening and share what we’re seeing. Check out what she had to say in the thread. #RCintel Image
Q1: What do we know about the adversaries exploiting the recent Exchange vulnerabilities? #RCintel
There’s a lot of confusion rn. Based on our visibility and that of researchers from Microsoft, FireEye, & others, there are at least 5 different clusters of activity that appear to be exploiting the vulnerabilities. -Katie Nickels #RCintel (1/2)
Read 22 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @redcanary has new unrolls!

Check out other threads from @redcanary!

Read all threads by @redcanary