Another webshell

yara/apt_hafnium.yar

@@ -186,4 +186,20 @@ rule WEBSHELL_CVE_2021_27065_Webshells {
       $extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
    condition:
       filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
-}
+}
+
+rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 {
+   meta:
+      description = "Detects HAFNIUM ASPX files dropped on compromised servers"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+      date = "2021-03-07"
+      score = 85
+      hash1 = "8647c1ec69dc544fad59e062e36f395f6f2f41d634ea982954f28cc542bd696d"
+   strings:
+      $s1 = "runat=\"server\">void Page_Load(object" ascii wide 
+      $s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide
+   condition:
+      filesize < 50KB and
+      1 of them
+}