2023-03-09 22:10:42 +01:00
|
|
|
title: HAFNIUM Exchange Exploitation Activity
|
2021-03-09 09:01:24 +01:00
|
|
|
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
|
2022-10-09 16:54:04 +02:00
|
|
|
status: test
|
2021-08-18 18:58:20 +00:00
|
|
|
description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
|
2021-03-09 09:01:24 +01:00
|
|
|
references:
|
|
|
|
|
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
|
|
|
|
|
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
|
2021-03-11 13:38:07 +01:00
|
|
|
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
|
2021-03-13 09:07:58 +01:00
|
|
|
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
|
2021-03-17 18:01:45 +01:00
|
|
|
- https://twitter.com/BleepinComputer/status/1372218235949617161
|
2023-02-01 11:14:59 +01:00
|
|
|
author: Florian Roth (Nextron Systems)
|
2022-10-09 16:54:04 +02:00
|
|
|
date: 2021/03/09
|
2023-03-09 22:10:42 +01:00
|
|
|
modified: 2023/03/09
|
2022-10-09 16:54:04 +02:00
|
|
|
tags:
|
|
|
|
|
- attack.persistence
|
|
|
|
|
- attack.t1546
|
|
|
|
|
- attack.t1053
|
2021-03-09 09:01:24 +01:00
|
|
|
logsource:
|
|
|
|
|
category: process_creation
|
|
|
|
|
product: windows
|
|
|
|
|
detection:
|
2023-03-09 22:10:42 +01:00
|
|
|
selection_attrib:
|
2021-03-09 09:01:24 +01:00
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- 'attrib'
|
|
|
|
|
- ' +h '
|
|
|
|
|
- ' +s '
|
|
|
|
|
- ' +r '
|
|
|
|
|
- '.aspx'
|
2023-03-09 22:10:42 +01:00
|
|
|
selection_vsperfmon:
|
|
|
|
|
- Image|contains: '\ProgramData\VSPerfMon\'
|
|
|
|
|
- CommandLine|contains|all:
|
2021-03-09 09:01:24 +01:00
|
|
|
- 'schtasks'
|
|
|
|
|
- 'VSPerfMon'
|
2023-03-09 22:10:42 +01:00
|
|
|
selection_opera_1:
|
2021-03-09 09:01:24 +01:00
|
|
|
Image|endswith: 'Opera_browser.exe'
|
|
|
|
|
ParentImage|endswith:
|
|
|
|
|
- '\services.exe'
|
|
|
|
|
- '\svchost.exe'
|
2023-03-09 22:10:42 +01:00
|
|
|
selection_opera_2:
|
|
|
|
|
Image|endswith: 'Users\Public\opera\Opera_browser.exe'
|
|
|
|
|
selection_vssadmin:
|
2021-03-09 09:01:24 +01:00
|
|
|
CommandLine|contains|all:
|
2023-03-09 22:10:42 +01:00
|
|
|
- 'vssadmin list shadows'
|
|
|
|
|
- 'Temp\__output'
|
|
|
|
|
selection_makecab_1:
|
|
|
|
|
Image|endswith: '\makecab.exe'
|
|
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- 'inetpub\wwwroot\'
|
|
|
|
|
- '.dmp.zip'
|
|
|
|
|
selection_makecab_2:
|
2021-03-11 13:38:07 +01:00
|
|
|
Image|endswith: '\makecab.exe'
|
|
|
|
|
CommandLine|contains:
|
|
|
|
|
- 'Microsoft\Exchange Server\'
|
2023-03-09 22:10:42 +01:00
|
|
|
- 'compressionmemory'
|
|
|
|
|
- '.gif'
|
|
|
|
|
selection_7zip:
|
|
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- ' -t7z '
|
|
|
|
|
- 'C:\Programdata\pst'
|
|
|
|
|
- '\it.zip'
|
|
|
|
|
selection_rundll32:
|
2021-03-17 18:01:45 +01:00
|
|
|
CommandLine|contains|all:
|
|
|
|
|
- '\comsvcs.dll'
|
|
|
|
|
- 'Minidump'
|
2023-03-09 22:10:42 +01:00
|
|
|
- 'full '
|
2021-03-17 18:01:45 +01:00
|
|
|
- '\inetpub\wwwroot'
|
2023-03-09 22:10:42 +01:00
|
|
|
selection_other:
|
|
|
|
|
CommandLine|contains:
|
|
|
|
|
- 'Windows\Temp\xx.bat'
|
|
|
|
|
- 'Windows\WwanSvcdcs'
|
|
|
|
|
- 'Windows\Temp\cw.exe'
|
2022-01-11 10:59:57 +01:00
|
|
|
condition: 1 of selection*
|
2021-03-09 09:01:24 +01:00
|
|
|
falsepositives:
|
2023-03-09 22:10:42 +01:00
|
|
|
- Unlikely
|
|
|
|
|
level: critical
|
