valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-06 18:15:20 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Detection for CVE_2021_27055 activity

Browse Source 
Found in HTTP Proxy logs for \Microsoft\Exchange Server\V15\Logging\HttpProxy\
This commit is contained in:
svch0stz 2021-03-10 12:44:48 +11:00 committed by GitHub
parent 27b6c2fc96
commit 1b9ce79259
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
yara/apt_hafnium_log_sigs.yar
View File

@ -59,3 +59,17 @@ rule LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 : LOG {
condition:
1 of ($x*) or 2 of them
}
rule EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts : LOG {
meta:
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity. Scan logs in \\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\"
author = "Zach Stanford - @svch0st"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log"
date = "2021-03-10"
score = 65
strings:
$s1 = "ServerInfo" ascii wide fullword
$r1 = /(ecp|owa)\/auth\/\w\.js/
condition:
2 of them
}