HAFNIUM Exchange Exploitation Activity
Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
Sigma rule (View on GitHub)
1title: HAFNIUM Exchange Exploitation Activity
2id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
3status: test
4description: Detects activity observed by different researchers to be HAFNIUM group activity (or related) on Exchange servers
5references:
6 - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
7 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
8 - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
9 - https://twitter.com/GadixCRK/status/1369313704869834753?s=20
10 - https://twitter.com/BleepinComputer/status/1372218235949617161
11author: Florian Roth (Nextron Systems)
12date: 2021-03-09
13modified: 2023-03-09
14tags:
15 - attack.privilege-escalation
16 - attack.execution
17 - attack.persistence
18 - attack.t1546
19 - attack.t1053
20 - attack.g0125
21 - detection.emerging-threats
22logsource:
23 category: process_creation
24 product: windows
25detection:
26 selection_attrib:
27 CommandLine|contains|all:
28 - 'attrib'
29 - ' +h '
30 - ' +s '
31 - ' +r '
32 - '.aspx'
33 selection_vsperfmon:
34 - Image|contains: '\ProgramData\VSPerfMon\'
35 - CommandLine|contains|all:
36 - 'schtasks'
37 - 'VSPerfMon'
38 selection_opera_1:
39 Image|endswith: 'Opera_browser.exe'
40 ParentImage|endswith:
41 - '\services.exe'
42 - '\svchost.exe'
43 selection_opera_2:
44 Image|endswith: 'Users\Public\opera\Opera_browser.exe'
45 selection_vssadmin:
46 CommandLine|contains|all:
47 - 'vssadmin list shadows'
48 - 'Temp\__output'
49 selection_makecab_1:
50 Image|endswith: '\makecab.exe'
51 CommandLine|contains|all:
52 - 'inetpub\wwwroot\'
53 - '.dmp.zip'
54 selection_makecab_2:
55 Image|endswith: '\makecab.exe'
56 CommandLine|contains:
57 - 'Microsoft\Exchange Server\'
58 - 'compressionmemory'
59 - '.gif'
60 selection_7zip:
61 CommandLine|contains|all:
62 - ' -t7z '
63 - 'C:\Programdata\pst'
64 - '\it.zip'
65 selection_rundll32:
66 CommandLine|contains|all:
67 - '\comsvcs.dll'
68 - 'Minidump'
69 - 'full '
70 - '\inetpub\wwwroot'
71 selection_other:
72 CommandLine|contains:
73 - 'Windows\Temp\xx.bat'
74 - 'Windows\WwanSvcdcs'
75 - 'Windows\Temp\cw.exe'
76 condition: 1 of selection*
77falsepositives:
78 - Unlikely
79level: critical
References
-
-
Update - Detection and Response for HAFNIUM Activity Executive summary Elastic Security Intelligence & Analytics has identified additional behaviors related to or inspired by HAFNIUM activity, as outlined in the prior post. This update contains additional post-exploitation details observed in Elastic telemetry indicating successful exploitation of recently-disclosed Microsoft Exchange vulnerabilities. While the details of this activity may resemble that attributed to the HAFNIUM threat group, we...
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More -
Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.
Read More
Related rules
- Defrag Deactivation - Security
- Potential ACTINIUM Persistence Activity
- ChromeLoader Malware Execution
- Cisco Modify Configuration
- Control Panel Items