mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-06 17:35:19 +00:00
31 lines
938 B
YAML
31 lines
938 B
YAML
title: Exchange PowerShell Snap-Ins Used by HAFNIUM
|
|
id: 25676e10-2121-446e-80a4-71ff8506af47
|
|
status: experimental
|
|
description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM
|
|
author: FPT.EagleEye
|
|
references:
|
|
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
|
|
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
|
|
date: 2021/03/03
|
|
modified: 2021/08/09
|
|
tags:
|
|
- attack.execution
|
|
- attack.t1086 # an old one
|
|
- attack.t1059.001
|
|
- attack.collection
|
|
- attack.t1114
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
Image: '*\powershell.exe'
|
|
CommandLine: '*add-pssnapin microsoft.exchange.powershell.snapin*'
|
|
condition: selection
|
|
fields:
|
|
- CommandLine
|
|
- ParentCommandLine
|
|
falsepositives:
|
|
- Unknown
|
|
level: high
|