{
	"id": "40c5cf65-b9c7-4f2c-99a8-88ed98e79cc4",
	"created_at": "2026-04-29T08:22:56.474719Z",
	"updated_at": "2026-04-29T10:41:41.286957Z",
	"deleted_at": null,
	"sha1_hash": "855b8d304fdaf856bbe58146b46e83c9d348c77e",
	"title": "Microsoft-365-Defender-Hunting-Queries/Execution/exchange-iis-worker-dropping-webshell.md at master · microsoft/Microsoft-365-Defender-Hunting-Queries",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54249,
	"plain_text": "Microsoft-365-Defender-Hunting-Queries/Execution/exchange-iis-worker-dropping-webshell.md at master · microsoft/Microsoft-365-\r\nDefender-Hunting-Queries\r\nBy Louie Mayor\r\nArchived: 2026-04-29 07:03:42 UTC\r\nLatest commit\r\nMar 5, 2021\r\nExchange Server IIS dropping web shells and other artifacts\r\nThis query was originally published in the threat analytics report, \"Exchange Server zero-days exploited in the\r\nwild\".\r\nIn early March 2021, Microsoft released patches for four different zero-day vulnerabilities affecting Microsoft\r\nExchange Server. The vulnerabilities were being used in a coordinated attack. For more information on the\r\nvulnerabilities, visit the following links:\r\nCVE-2021-26855\r\nCVE-2021-26857\r\nCVE-2021-26858\r\nCVE-2021-27065\r\nThe following query checks for the IIS worker process in Exchange Server dropping files that appear to be the\r\nweb shells and other threat artifacts observed in known attacks.\r\nMore queries related to this threat can be found under the See also section of this page.\r\nQuery\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName == 'w3wp.exe' | where InitiatingProcessCommandLine contains \"MSExch\r\n| where FolderPath has_any (\"\\\\wwwroot\\\\\", \"HttpProxy\\\\owa\\\\\",\"\\\\Temporary ASP.NET Files\\\\\")\r\n| where not(FolderPath has_any(\"\\\\tmp\\\\\",\"\\\\dl3\\\\\"))\r\n| where FolderPath !endswith \".log\" | where FolderPath !endswith \".json\"\r\n| where FolderPath !endswith \".ini\"\r\n| where FolderPath !endswith \".vb\"\r\n| where FolderPath !endswith '.tmp'\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md\r\nPage 1 of 3\n\n| where FolderPath !endswith '.xml'\r\n| where FolderPath !endswith '.js'\r\nCategory\r\nThis query can be used to detect the following attack techniques and tactics (see MITRE ATT\u0026CK framework) or\r\nsecurity configuration states.\r\nTechnique, tactic, or state Covered? (v=yes) Notes\r\nInitial access\r\nExecution v\r\nPersistence v\r\nPrivilege escalation\r\nDefense evasion\r\nCredential Access\r\nDiscovery\r\nLateral movement\r\nCollection\r\nCommand and control\r\nExfiltration\r\nImpact\r\nVulnerability\r\nExploit\r\nMisconfiguration\r\nMalware, component\r\nRansomware\r\nSee also\r\nReverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique\r\nProcdump dumping LSASS credentials\r\n7-ZIP used by attackers to prepare data for exfiltration\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md\r\nPage 2 of 3\n\nExchange PowerShell snap-in being loaded\r\nPowercat exploitation tool downloaded\r\nExchange vulnerability creating web shells via UMWorkerProcess\r\nExchange vulnerability launching subprocesses through UMWorkerProcess\r\nBase64-encoded Nishang commands for loading reverse shell\r\nContributor info\r\nContributor: Microsoft 365 Defender team\r\nSource: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshel\r\nl.md\r\nhttps://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md"
	],
	"report_names": [
		"exchange-iis-worker-dropping-webshell.md"
	],
	"threat_actors": [],
	"ts_created_at": 1777450976,
	"ts_updated_at": 1777459301,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/855b8d304fdaf856bbe58146b46e83c9d348c77e.pdf",
		"text": "https://archive.orkl.eu/855b8d304fdaf856bbe58146b46e83c9d348c77e.txt",
		"img": "https://archive.orkl.eu/855b8d304fdaf856bbe58146b46e83c9d348c77e.jpg"
	}
}