• State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 32 subscribers
  • Views 600 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Using SAM alerting, how to check IIS AppPool process executing net.exe, cmd.exe, and mshta.exe?

itengineer

People,

I wanted to know if it is possible to trigger email alert with SAM or any other method when the Windows IIS server Application Pool process executing net.exe, cmd.exe, and mshta.exe file?

Catching attacks in the exploratory phase, the period in which attackers spend several days exploring the environment after gaining access, is key. Common application pools like ‘MSExchangeOWAAppPool or MSExchangeECPAppPool are commonly hijacked by attackers through web shell deployment. Prioritize alerts related to processes such as net.execmd.exe, and mshta.exe originating from these pools or w3wp.exe in general.

The above was taken from Point #5 from: https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/

Thank you in advance.

  • 0
    I read the same article, and love that someone thought to ask the question here. I have an idea for a script monitor and hope to make something usable by the end of the week.
  • 0

    Hey, , I made a proof of concept for you to try! Here is a PowerShell script that you can download and run locally to test, then put into a SAM template if you'd like. Download from here: https://github.com/SturdyErde/Get-RiskyProcesses

    It's pretty well documented within, but start by looking at the $riskyProcesses and $riskyParents variables. On my machine, I tested by adding "code.exe" and "teams.exe" as test triggers. Below you can see the results of this script finding a teams.exe process that was spawned by a parent teams.exe process. That's not risky, but of course, I'm not running IIS on my workstation.

    results.png

    For the application template, add a Windows PowerShell component monitor and paste the script into the script body. Put "Orion" (without quotes) in the Script Arguments box to tell it to provide output formatted for Orion, and then set your warning threshold to greater than 0.

    template.png

    I have not had a chance to fully test this SAM template against a server, which is why I have not yet posted the actual template to Thwack. Still, if you have time, creating a test template shouldn't take long. Creating a good test scenario is the hardest part!

    Please reply if you have any questions. Please feel free to submit a pull request on GitHub if you see any room for improvement on the script!

    - Sam

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.