Microsoft Exchange Server UM Writing Suspicious Filesedit

Identifies suspicious files being written by the Microsoft Exchange Server Unified Messaging (UM) service. This activity has been observed exploiting CVE-2021-26858.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100



  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Initial Access

Version: 1

Added (Elastic Stack release): 7.12.0

Rule authors: Elastic, Austin Songer

Rule license: Elastic License v2

Potential false positivesedit

Files generated during installation will generate a lot of noise, so the rule should only be enabled after the fact.

Rule queryedit

file where event.type == "creation" and :
("UMWorkerProcess.exe", "umservice.exe") and file.extension :
("php", "jsp", "js", "aspx", "asmx", "asax", "cfm", "shtml") and (
file.path : ("C:\\inetpub\\wwwroot\\aspnet_client\\*",
"C:\\*\\FrontEnd\\HttpProxy\\owa\\auth\\*") or (file.path :
"C:\\*\\FrontEnd\\HttpProxy\\ecp\\auth\\*" and not :
"TimeoutLogoff.aspx") )

Threat mappingedit