People,
I wanted to know if it is possible to trigger email alert with SAM or any other method when the Windows IIS server Application Pool process executing net.exe, cmd.exe, and mshta.exe file?
Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool’ or ‘MSExchangeECPAppPool’ are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.exe, cmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.
The above was taken from Point #5 from: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
Thank you in advance.