cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 12

Using SAM alerting, how to check IIS AppPool process executing net.exe, cmd.exe, and mshta.exe?

People,

I wanted to know if it is possible to trigger email alert with SAM or any other method when the Windows IIS server Application Pool process executing net.exe, cmd.exe, and mshta.exe file?

Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool or MSExchangeECPAppPool are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.execmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.

The above was taken from Point #5 from: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/

Thank you in advance.

2 Replies

Hey, @itengineer, I made a proof of concept for you to try! Here is a PowerShell script that you can download and run locally to test, then put into a SAM template if you'd like. Download from here: https://github.com/SturdyErde/Get-RiskyProcesses

It's pretty well documented within, but start by looking at the $riskyProcesses and $riskyParents variables. On my machine, I tested by adding "code.exe" and "teams.exe" as test triggers. Below you can see the results of this script finding a teams.exe process that was spawned by a parent teams.exe process. That's not risky, but of course, I'm not running IIS on my workstation.

Results from Get-RiskyProcesses.ps1Results from Get-RiskyProcesses.ps1

For the application template, add a Windows PowerShell component monitor and paste the script into the script body. Put "Orion" (without quotes) in the Script Arguments box to tell it to provide output formatted for Orion, and then set your warning threshold to greater than 0.

Component monitor for Get-RiskyProcesses.ps1Component monitor for Get-RiskyProcesses.ps1

I have not had a chance to fully test this SAM template against a server, which is why I have not yet posted the actual template to Thwack. Still, if you have time, creating a test template shouldn't take long. Creating a good test scenario is the hardest part!

Please reply if you have any questions. Please feel free to submit a pull request on GitHub if you see any room for improvement on the script!

- Sam

I read the same article, and love that someone thought to ask the question here. I have an idea for a script monitor and hope to make something usable by the end of the week.
0 Kudos