From 92510e2507bbfcefbc3d91c92a19fcd789ec6043 Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Wed, 17 Mar 2021 18:01:45 +0100
Subject: [PATCH] extended Exchange post-exploitation rule

---
 rules/windows/process_creation/win_apt_hafnium.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml
index 0f39740a5..042fe15aa 100644
--- a/rules/windows/process_creation/win_apt_hafnium.yml
+++ b/rules/windows/process_creation/win_apt_hafnium.yml
@@ -1,4 +1,4 @@
-title: HAFNIUM Exchange Exploitation Activity
+title: Exchange Exploitation Activity
 id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
 description: Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers
 author: Florian Roth
@@ -10,6 +10,7 @@ references:
     - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
     - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
     - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
+    - https://twitter.com/BleepinComputer/status/1372218235949617161
 logsource:
     category: process_creation
     product: windows
@@ -55,6 +56,16 @@ detection:
             - '\Temp\xx.bat'
             - 'Windows\WwanSvcdcs'
             - 'Windows\Temp\cw.exe'
+    selection11: 
+        CommandLine|contains|all:
+            - '\comsvcs.dll'
+            - 'Minidump'
+            - '\inetpub\wwwroot'
+    selection12:
+        CommandLine|contains|all:
+            - 'dsquery'
+            - ' -uco '
+            - '\inetpub\wwwroot'
     condition: 1 of them
 falsepositives:
     - Unknown