App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dll
I have a fully patched Exchange 2019 server (15.2.1544.11) with Sentinel One running.
Windows update is handled by ConnectWise Automate and the update GUI is hidden from display.
Only port 443 is open to the world and 25 is allowed in from only a spam filtering service.
Today it hit on this file DeviceHarddiskVolume4WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filesowac7aec3e5170e9609App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dll
Threat Info:
Name: App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dll
URL: Omitted
Path: DeviceHarddiskVolume4WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filesowac7aec3e5170e9609App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dll
Process User: NT AUTHORITYSYSTEM
Signature Verification: NotSigned
Originating Process: w3wp.exe
SHA1: 16c3001d66bd5b4e01fa2b3a5fe8fea3e31ed94b
Initiated By: Agent Policy
Engine: On-Write Static AI – Suspicious
Detection type: Static
Classification: PUA
File Size: 60.50 KB
Storyline: 34B3AAE90059A029
Threat Id: 1971715204265351815
Endpoint Info:
Computer Name: EX19
Console Connectivity: Online
Full Disk Scan: Completed at Jan 23, 2023 18:03:01
Pending reboot: No
Network Status: Connected
Scope: Omitted
OS Version: Windows Server 2019 Standard 17763
Agent Version: 22.2.4.558
Policy: protect
UUID: 88685af938e5446684e063a45e55cee5
Domain: Omitted
IP v4 Address: 192.168.14.150
Console Visible IP Address: Omitted
Subscription Time: Jan 23, 2023 17:42:06
I can’t see how it got in but, out of an abundance of caution, I created two new CAS rules to block external ECP and Powershell access.
The exchange powershell log shows no activity.
Is this a valid file?
TIA
-=Chris
I have a fully patched Exchange 2019 server (15.2.1544.11) with Sentinel One running.Windows update is handled by ConnectWise Automate and the update GUI is hidden from display.Only port 443 is open to the world and 25 is allowed in from only a spam filtering service. Today it hit on this file DeviceHarddiskVolume4WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filesowac7aec3e5170e9609App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dll Threat Info:Name: App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dllURL: OmittedPath: DeviceHarddiskVolume4WindowsMicrosoft.NETFramework64v4.0.30319Temporary ASP.NET Filesowac7aec3e5170e9609App_Web_outlooken.aspx.f5dba9b9.moomk9bg.dllProcess User: NT AUTHORITYSYSTEMSignature Verification: NotSignedOriginating Process: w3wp.exeSHA1: 16c3001d66bd5b4e01fa2b3a5fe8fea3e31ed94bInitiated By: Agent PolicyEngine: On-Write Static AI – SuspiciousDetection type: StaticClassification: PUAFile Size: 60.50 KBStoryline: 34B3AAE90059A029Threat Id: 1971715204265351815Endpoint Info:Computer Name: EX19Console Connectivity: OnlineFull Disk Scan: Completed at Jan 23, 2023 18:03:01Pending reboot: NoNetwork Status: ConnectedScope: OmittedOS Version: Windows Server 2019 Standard 17763Agent Version: 22.2.4.558Policy: protectUUID: 88685af938e5446684e063a45e55cee5Domain: OmittedIP v4 Address: 192.168.14.150Console Visible IP Address: OmittedSubscription Time: Jan 23, 2023 17:42:06 I can’t see how it got in but, out of an abundance of caution, I created two new CAS rules to block external ECP and Powershell access.The exchange powershell log shows no activity.Is this a valid file? TIA-=Chris Read More
