valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 01:45:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
6019871a78
SigmaHQ/rules/web/web_exchange_exploitation_hafnium.yml
Bhabesh Rai 206adbb2b6 Merging upstream updates
2021-07-01 12:18:30 +05:45

62 lines
2.4 KiB
YAML
Raw Blame History

title: Exchange Exploitation Used by HAFNIUM
id: 67bce556-312f-4c81-9162-c3c9ff2599b2
status: experimental
description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
author: Florian Roth
date: 2021/03/03
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection1:
cs-method: 'POST'
c-uri|contains: '/owa/auth/Current/themes/resources/'
selection2:
cs-method: 'POST'
c-uri|contains: '/owa/auth/Current/'
c-useragent:
- 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)'
- 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
- 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)'
- 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html'
- 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)'
- 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)'
- 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)'
- 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36'
selection3:
c-uri|contains: '/ecp/'
cs-method: 'POST'
c-useragent:
- 'ExchangeServicesClient/0.0.0.0'
- 'python-requests/2.19.1'
- 'python-requests/2.25.1'
selection4:
c-uri|contains:
- '/aspnet_client/'
- '/owa/'
cs-method: 'POST'
c-useragent:
- 'antSword/v2.1'
- 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)'
- 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'
selection5:
c-uri|contains:
- '/owa/auth/Current/'
- '/ecp/default.flt'
- '/ecp/main.css'
cs-method: 'POST'
selection6:
cs-method: 'POST'
c-uri|contains|all:
- '/ecp/'
- '.js'
condition: 1 of them
falsepositives:
- Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related
level: high
Reference in New Issue View Git Blame Copy Permalink