Microsoft Exchange Server Detections with IBM QRadar
By: Wendy Willner and Gladys Koskas
This week Microsoft announced zero-day exploits being used against on-premises versions of Microsoft Exchange Servers. The exploited vulnerabilities involved are (1) CVE-2021-26855; (2) CVE-2021-26857 ;(3) CVE-2021-26857; and(4) CVE-2021-27065 (based on current information as of the time of this publication).
At the time of this writing several groups of hackers are actively using these exploits to gain access to servers, steal data and perform other malicious activities. This blog post will provide guidance on methods for using QRadar for efficient detection.
IBM Security X-Force researchers published a collection of indicators of compromise (IOCs) including malicious file hashes, IP addresses and URLs connected to this on-going threat. These IOCs can easily be brought into QRadar using the Threat Intelligence App which can be downloaded either from the IBM Security App Exchange or natively via the QRadar App Assistant.
These threat indicators can then be added to a reference set so that they can be used within building blocks, rules, and searches to detect the presence of these IOCs within your environment. For your information, Public X-Force Collections, including this one, are free to existing QRadar customers.
Additionally, QRadar customers who also subscribe to the IBM Security X-Force Advanced Threat Protection Feed have access to a built-in “Am I Affected?” feature within the Threat Intelligence App. To help detect known IOCs this tool can be used in tandem with other forms of threat intelligence that may become available in this developing situation. With this subscription new X-Force collections are loaded directly into QRadar and users can simply click “Scan Now” to automatically search for all IOCs associated with the collection. The results from the “Scan Now” query will show which systems and users may have been connected to this threat, assisting you to initiate investigation, remediation, and response.
If you do not currently subscribe to the Advanced Threat Protection Feed, a 30-day free trial is available.
Once again, the Cisco Talos team provided a new set of Snort rules to implement. QRadar users can easily create a new rule based on these signatures, correlate these insights with other events, or optionally be alerted directly via email. The steps to implement these are:
- Install the IBM Security QRadar Custom Properties for Snort content extension; and
- Create a new Event rule.
As discussed in previous blog posts, file hashes are a great source to improve threat detection. Once again, you can have a quick implementation by enabling detection with SHA-256 through one reference set and one custom rule.
- Create a Reference Set and populate it with the hashes provided by Microsoft here.
- Install content extensions containing Hash properties or create your own. On the App Exchange, you can find SHA-256 parsed for the following devices:
- Carbon Black Response, Cisco AMP, McAfee ePolicy Orchestrator, Microsoft Windows Defender ATP, Microsoft Windows Security Event Log
- Create a rule that tests the Custom Properties SHA-256 Hash and Parent SHA-256 Hash against the new Reference Sets.
Endpoint Content Extension
Please review our earlier post to understand how to monitor for credential dumping and how to detect behaviors that are typical of ransom-ware using QRadar!
For additional use cases please leverage the IBM QRadar Endpoint Content Extension which is available on the IBM Security App Exchange. See below for a sampling of the use cases available.
- Attempt to delete Shadow Copies
- Boot Recovery Disablement
- COM Hijacking
- RDP Hijacking
- Process Masquerading
- Malicious program executing scripts
- Malicious software downloading files
- Remote script execution
- Suspicious account management
- Password policy discovery
- Suspicious File management
The above steps can enable you to easily take advantage of the publicly available IOCs and Countermeasures to detect indicators of the Microsoft Exchange threat within your environment. All of the QRadar apps, custom properties, and content extensions mentioned above are available free of charge to all QRadar customers and can be downloaded either from the IBM Security App Exchange or natively via QRadar Assistant.
If you are directly impacted and in need of expert assistance, you can contact the IBM Security X-Force Incident Response team that is available to assist 24×7, at the US hotline 1-888-241-9812 / Global hotline (+001) 312-212-8034.