Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
HAFNIUM IIS Log Search Patterns
# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano
# Quick check for likely successful attacks
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
# More thorough check for most common IOCs, higher possibility for false positives and failed attempts
## Bash
egrep -i '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log
## PowerShell
Select-String -Pattern '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment