valitydev/signature-base
14
0
Fork 0
mirror of https://github.com/valitydev/signature-base.git synced 2024-11-07 02:25:19 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

HAFNIUM Filename IOCs

Browse Source
This commit is contained in:
Florian Roth 2021-03-03 09:49:02 +01:00
parent 7acbf6f333
commit bc5acccfdd
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
iocs/filename-iocs.txt
View File

@ -3474,6 +3474,17 @@ ublic\\.Monitor\\ews\.conf;90
/usr/share/centreon/www/htmlHeader.php;80 /usr/share/centreon/www/htmlHeader.php;80
/configtx\.json;80 /configtx\.json;80
# Archive in suspicious folder https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
:\\ProgramData\\[\w]{1,6}\.(zip|7z|rar)$;40
\\xx\.aspx$;60
\\shell\.aspx$;50
# HAFNIUM IOCs https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
\\inetpub\\wwwroot\\aspnet_client\\[^\\]{1,20}\.aspx;90
\\inetpub\\wwwroot\\aspnet_client\\[^\\]{1,20}\\[^\\]{1,20}\.aspx;90
\\FrontEnd\\HttpProxy\\ecp\\auth\\[^T];70
\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\[^\\]{1,20}\.aspx;90
\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\[^\\]{1,20}\\[^\\]{1,20}\.aspx;90
\\FrontEnd\\HttpProxy\\owa\\auth\\[0-9\.]{6,12}\\[^\\]{1,20}\.aspx;90
# End # End