From d9b299aafcefa6b3cb45f4961a9c0473c3363d97 Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 11:42:04 +0530 Subject: [PATCH 1/6] add more HAFNIUM references --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index e2bf2a7..ebef9fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8454,7 +8454,10 @@ "https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html", "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", - "https://twitter.com/ESETresearch/status/1366862946488451088" + "https://twitter.com/ESETresearch/status/1366862946488451088", + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html, + "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 4bc438a325a8e352a1596dc878b05812e6a30f0b Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 11:48:43 +0530 Subject: [PATCH 2/6] fix --- clusters/threat-actor.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index ebef9fb..999fc78 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8455,7 +8455,7 @@ "https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers", "https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day", "https://twitter.com/ESETresearch/status/1366862946488451088", - "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html, + "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" ] From eaab88ef281970a960f6c5431d811ff6bef77ae0 Mon Sep 17 00:00:00 2001 From: Rony Date: Fri, 5 Mar 2021 16:51:28 +0530 Subject: [PATCH 3/6] add HAFNIUM detection refs --- clusters/threat-actor.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 999fc78..1b198a7 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8457,7 +8457,9 @@ "https://twitter.com/ESETresearch/status/1366862946488451088", "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", - "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289" + "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", + "https://github.com/microsoft/CSS-Exchange/tree/main/Security", + "https://github.com/cert-lv/exchange_webshell_detection" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 7b242555dfbd0ee23ebfb91d93c295696bd19c1b Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 13:28:14 +0530 Subject: [PATCH 4/6] More references From Crowdstrike MSRC and kql hunting query from James Quinn --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 1b198a7..8d07f43 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8459,7 +8459,10 @@ "https://us-cert.cisa.gov/ncas/alerts/aa21-062a", "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289", "https://github.com/microsoft/CSS-Exchange/tree/main/Security", - "https://github.com/cert-lv/exchange_webshell_detection" + "https://github.com/cert-lv/exchange_webshell_detection", + "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", + "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", + "https://pastebin.com/J4L3r2RS" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 6cabbfb091aa9f6c50b0e1a4b2afe800ee5f049a Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 14:22:29 +0530 Subject: [PATCH 5/6] more! --- clusters/threat-actor.json | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index 8d07f43..f5f91fb 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8462,7 +8462,10 @@ "https://github.com/cert-lv/exchange_webshell_detection", "https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits", "https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021", - "https://pastebin.com/J4L3r2RS" + "https://pastebin.com/J4L3r2RS", + "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", + "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", + "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5", From 57c7d0b9a04bb95714fce32122b791e901a3b91e Mon Sep 17 00:00:00 2001 From: Rony Date: Sat, 6 Mar 2021 19:44:32 +0530 Subject: [PATCH 6/6] From Nextron --- clusters/threat-actor.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json index f5f91fb..49e41df 100644 --- a/clusters/threat-actor.json +++ b/clusters/threat-actor.json @@ -8465,7 +8465,8 @@ "https://pastebin.com/J4L3r2RS", "https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers", "https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md", - "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server" + "https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server", + "https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite" ] }, "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",