From 6ba74459f7ca64061a654135655a97f0dc052c9a Mon Sep 17 00:00:00 2001
From: Florian Roth <florian.roth@nextron-systems.com>
Date: Sun, 7 Mar 2021 09:46:23 +0100
Subject: [PATCH] Another webshell

---
 yara/apt_hafnium.yar | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/yara/apt_hafnium.yar b/yara/apt_hafnium.yar
index 2993e9b..07af52b 100644
--- a/yara/apt_hafnium.yar
+++ b/yara/apt_hafnium.yar
@@ -186,4 +186,20 @@ rule WEBSHELL_CVE_2021_27065_Webshells {
       $extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
    condition:
       filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
-}
\ No newline at end of file
+}
+
+rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 {
+   meta:
+      description = "Detects HAFNIUM ASPX files dropped on compromised servers"
+      author = "Florian Roth"
+      reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
+      date = "2021-03-07"
+      score = 85
+      hash1 = "8647c1ec69dc544fad59e062e36f395f6f2f41d634ea982954f28cc542bd696d"
+   strings:
+      $s1 = "runat=\"server\">void Page_Load(object" ascii wide 
+      $s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide
+   condition:
+      filesize < 50KB and
+      1 of them
+}