refactor: refactored hafnium log rule

yara/apt_hafnium_log_sigs.yar

@@ -62,19 +62,22 @@ rule LOG_Exchange_Forensic_Artefacts_CleanUp_Activity_Mar21_1 : LOG {
 
 rule EXPL_LOG_CVE_2021_27055_Exchange_Forensic_Artefacts : LOG {
    meta:
-	  description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity. Scan logs in \\Microsoft\\Exchange Server\\V15\\Logging\\HttpProxy\\"
-	  author = "Zach Stanford - @svch0st"
+	  description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
+	  author = "Florian Roth"
 	  reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/#scan-log"
+     reference_2 = "https://www.praetorian.com/blog/reproducing-proxylogon-exploit/"
 	  date = "2021-03-10"
 	  score = 65
    strings:
 	  $x1 = "ServerInfo~" ascii wide
 	  
+     $sr1 = /\/ecp\/[a-zA-Z0-9]\.js/ ascii wide
+	  
 	  $s1 = "/ecp/auth/w.js" ascii wide 
 	  $s2 = "/owa/auth/w.js" ascii wide
-	  $s3 = "/ecp/y.js" ascii wide
-	  $s4 = "/ecp/main.css" ascii wide
-	  $s5 = "/ecp/default.flt" ascii wide
+	  $s3 = "/ecp/main.css" ascii wide
+	  $s4 = "/ecp/default.flt" ascii wide
+     $s5 = "/owa/auth/Current/themes/resources/logon.css" ascii wide
    condition:
 	  $x1 and 1 of ($s*)
 }