I wanted to know if it is possible to trigger email alert with SAM or any other method when the Windows IIS server Application Pool process executing net.exe, cmd.exe, and mshta.exe file?
Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.
The above was taken from Point #5 from: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
Thank you in advance.
Hey, @itengineer, I made a proof of concept for you to try! Here is a PowerShell script that you can download and run locally to test, then put into a SAM template if you'd like. Download from here: https://github.com/SturdyErde/Get-RiskyProcesses
It's pretty well documented within, but start by looking at the $riskyProcesses and $riskyParents variables. On my machine, I tested by adding "code.exe" and "teams.exe" as test triggers. Below you can see the results of this script finding a teams.exe process that was spawned by a parent teams.exe process. That's not risky, but of course, I'm not running IIS on my workstation.
For the application template, add a Windows PowerShell component monitor and paste the script into the script body. Put "Orion" (without quotes) in the Script Arguments box to tell it to provide output formatted for Orion, and then set your warning threshold to greater than 0.
I have not had a chance to fully test this SAM template against a server, which is why I have not yet posted the actual template to Thwack. Still, if you have time, creating a test template shouldn't take long. Creating a good test scenario is the hardest part!
Please reply if you have any questions. Please feel free to submit a pull request on GitHub if you see any room for improvement on the script!
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.