Exchange Exploitation Used by HAFNIUM
Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
Sigma rule (View on GitHub)
1title: Exchange Exploitation Used by HAFNIUM
2id: 67bce556-312f-4c81-9162-c3c9ff2599b2
3status: test
4description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
5references:
6 - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
7 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
8author: Florian Roth (Nextron Systems)
9date: 2021/03/03
10modified: 2023/01/02
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - attack.g0125
15 - detection.emerging_threats
16logsource:
17 category: webserver
18detection:
19 selection_1:
20 cs-method: 'POST'
21 cs-uri-query|contains: '/owa/auth/Current/themes/resources/'
22 selection_2:
23 cs-method: 'POST'
24 cs-uri-query|contains: '/owa/auth/Current/'
25 cs-user-agent:
26 - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
27 - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
28 - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
29 - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
30 - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
31 - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
32 - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
33 - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
34 - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
35 selection_3:
36 cs-uri-query|contains: '/ecp/'
37 cs-method: 'POST'
38 cs-user-agent:
39 - 'ExchangeServicesClient/0.0.0.0'
40 - 'python-requests/2.19.1'
41 - 'python-requests/2.25.1'
42 selection_4:
43 cs-uri-query|contains:
44 - '/aspnet_client/'
45 - '/owa/'
46 cs-method: 'POST'
47 cs-user-agent:
48 - 'antSword/v2.1'
49 - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
50 - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
51 selection_5:
52 cs-uri-query|contains:
53 - '/owa/auth/Current/'
54 - '/ecp/default.flt'
55 - '/ecp/main.css'
56 cs-method: 'POST'
57 selection_6:
58 cs-method: 'POST'
59 cs-uri-query|contains|all:
60 - '/ecp/'
61 - '.js'
62 condition: 1 of selection_*
63falsepositives:
64 - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
65level: high
References
-
[UPDATE] March 8, 2021 – Since original publication of this blog, Volexity has now observed that cyber espionage operations using the SSRF vulnerability CVE-2021-26855 started occurring on January 3, 2021, three days earlier than initially posted. Volexity is seeing active in-the-wild exploitation of multiple Microsoft Exchange vulnerabilities used to steal e-mail and compromise networks. These attacks appear to have started as early as January 6, 2021. In January 2021, through its Network Security Monitoring service, Volexity detected anomalous activity from two of its customers' Microsoft Exchange servers. Volexity identified a large amount of data being sent to IP addresses it believed were not tied to legitimate users. A closer inspection of the IIS logs from the Exchange servers revealed rather alarming results. The logs showed inbound POST requests to valid files associated with images, JavaScript, cascading style sheets, and fonts used by Outlook Web Access (OWA). It was initially suspected the […]
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Proxy)
- CVE-2023-22518 Exploitation Attempt - Vulnerable Endpoint Connection (Webserver)
- Potential Information Disclosure CVE-2023-43261 Exploitation - Proxy