Detect HAFNIUM operations

rules/web/win_powershell_snapins_hafnium.yml

@@ -0,0 +1,30 @@
+title: Exchange PowerShell Snap-Ins Used by HAFNIUM 
+id: 25676e10-2121-446e-80a4-71ff8506af47
+status: experimental
+description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
+author: FPT.EagleEye 
+references:
+    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
+    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+date: 2021/03/03
+tags:
+    - attack.execution
+    - attack.t1086
+    - attack.t1059.005
+    - attack.collection
+    - attack.t1114
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\powershell.exe'
+        CommandLine:
+            - '*add-pssnapin microsoft.exchange.powershell.snapin*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: high

rules/windows/process_creation/win_powershell_reverse_shell_connection.yml

@@ -0,0 +1,28 @@
+title: Powershell Reverse Shell Connection
+id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
+status: experimental
+description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
+author: FPT.EagleEye 
+references:
+    - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
+    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
+date: 2021/03/03
+tags:
+    - attack.execution
+    - attack.t1086
+    - attack.t1059.005
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image: '*\powershell.exe'
+        CommandLine:
+            - '*new-object system.net.sockets.tcpclient*'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Administrative might use this function for checking network connectivity
+level: high