Created
March 7, 2021 04:00
-
-
Save ecapuano/13386852fb80beac4561f2bed569095e to your computer and use it in GitHub Desktop.
HAFNIUM IIS Log Search Patterns
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
| # Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
| # | |
| # https://twitter.com/eric_capuano | |
| # Quick check for likely successful attacks | |
| ## Bash (faster) | |
| egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| ## PowerShell | |
| Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| # More thorough check for most common IOCs, higher possibility for false positives and failed attempts | |
| ## Bash | |
| egrep -i '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log | |
| ## PowerShell | |
| Select-String -Pattern '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment