Skip to content

Instantly share code, notes, and snippets.

@eduardomcm

eduardomcm/HAFNIUM_Webshell.yaml

Forked from mgreen27/HAFNIUM_Webshell.yaml
Created August 30, 2021 16:14
Show Gist options
  • Save eduardomcm/8b9e0de8cb9b40dfdda52f655005f678 to your computer and use it in GitHub Desktop.
Save eduardomcm/8b9e0de8cb9b40dfdda52f655005f678 to your computer and use it in GitHub Desktop.
Download ZIP
HAFNIUM Webshell VQL
Raw
HAFNIUM_Webshell.yaml
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch
author: Matt Green - @mgreen27
description: |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as
reported by Microsoft and Volexity.
The default artifact will discover all ASPX files on C: then run a preconfigured
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a
URL can be set to enable download of remote rule set.
To target exchange / IIS logs, add PathRegex, paste full yar set with additional
indicators.
Some examples of path regex may include:
 Generic Exchange/IIS logs: (inetpub|Exchange).+.log$
 Multiple extensions: \.(php|aspx|resx|asmx)$
 Extension at a path: Folder/Folder/.+\.log$
 More wildcards: Folder/.+/.+\.log$
 Specific file: Folder/Filename\.log$
Note: no drive and forward slashes.
Modify SearchMFT for non C drive or select AllDrives feature.
There are 3 kinds of Yara rules that can be deployed:
 1. Url link to a yara rule.
 2. Shorthand yara in the format "wide nocase ascii:string1,string2,string3".
 3. or a Standard Yara rule attached as a parameter.
Only one method of Yara will be applied and search order is as above.
reference:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/apt_hafnium.yar
- https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium_log_sigs.yar
type: CLIENT
parameters:
- name: PathRegex
description: Only file names that match this regular expression will be scanned.
default: \.(php|aspx|resx|asmx)$
- name: SearchMFT
description: "Target drive MFT. Default is a C:"
default: "C:/$MFT"
- name: SizeMax
default:
- name: SizeMin
default:
- name: AllDrives
type: bool
- name: UploadHits
type: bool
- name: YaraUrl
description: If configured will attempt to download Yara rules from Url
default:
- name: ShortHandYara
description: Second option Yara choice is a Velociraptor shorthand Yara rule
default:
- name: YaraRule
description: Final Yara option and the default if no other options provided.
default: |
rule WEBSHELL_ASP_Embedded_Mar21_1 {
meta:
description = "Detects ASP webshells"
author = "Florian Roth"
reference = "Internal Research"
date = "2021-03-05"
score = 85
strings:
$s1 = "<script runat=\"server\">" nocase
$s2 = "new System.IO.StreamWriter(Request.Form["
$s3 = ".Write(Request.Form["
condition:
filesize < 100KB and all of them
}
rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1 {
meta:
description = "Detects HAFNIUM SecChecker webshell"
author = "Florian Roth"
reference = "https://twitter.com/markus_neis/status/1367794681237667840"
date = "2021-03-05"
hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
strings:
$x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii
$x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword
condition:
uint16(0) == 0x253c and
filesize < 1KB and
1 of them or 2 of them
}
rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-02"
strings:
$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword
$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword
$s3 = "powercat.ps1'); powercat -c" ascii wide fullword
condition:
1 of them
}
rule APT_WEBSHELL_HAFNIUM_Chopper_WebShell: APT Hafnium WebShell {
meta:
description = "Detects Chopper WebShell Injection Variant (not only Hafnium related)"
author = "Markus Neis,Swisscom"
date = "2021-03-05"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$x1 = "runat=\"server\">" nocase
$s1 = "<script language=\"JScript\" runat=\"server\">function Page_Load(){eval(Request" nocase
$s2 = "protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[\"p\"] , false, Encoding.Default);sw.Write(Request.Form[\"f\"]);"
$s3 = "<script language=\"JScript\" runat=\"server\"> function Page_Load(){eval (Request[\"" nocase
condition:
filesize < 10KB and $x1 and 1 of ($s*)
}
rule APT_WEBSHELL_Tiny_WebShell : APT Hafnium WebShell {
meta:
description = "Detects WebShell Injection"
author = "Markus Neis,Swisscom"
hash = "099c8625c58b315b6c11f5baeb859f4c"
date = "2021-03-05"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$x1 = "<%@ Page Language=\"Jscript\" Debug=true%>"
$s1 = "=Request.Form(\""
$s2 = "eval("
condition:
filesize < 300 and all of ($s*) and $x1
}
rule HKTL_PS1_PowerCat_Mar21 {
meta:
description = "Detects PowerCat hacktool"
author = "Florian Roth"
reference = "https://github.com/besimorhino/powercat"
date = "2021-03-02"
hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2"
strings:
$x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword
$x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword
$s1 = "Returning Encoded Payload..." ascii
$s2 = "$CommandToExecute =" ascii fullword
$s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii
condition:
uint16(0) == 0x7566 and
filesize < 200KB and
1 of ($x*) or 3 of them
}
rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine {
meta:
description = "Detects PowerShell Oneliner in Nishang's repository"
author = "Florian Roth"
reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1"
date = "2021-03-03"
hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32"
strings:
$s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide
$s2 = ".GetStream();[byte[]]$" ascii wide
$s3 = "New-Object Net.Sockets.TCPClient('" ascii wide
condition:
all of them
}
rule WEBSHELL_ASPX_SimpleSeeSharp : Webshell Unclassified {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "A simple ASPX Webshell that allows an attacker to write further files to disk."
hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$header = "<%@ Page Language=\"C#\" %>"
$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"
condition:
$header at 0 and
$body and
filesize < 1KB
}
rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "variation on reGeorgtunnel"
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"
strings:
$s1 = "System.Net.Sockets"
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"
$t1 = ".Split('|')"
$t2 = "Request.Headers.Get"
$t3 = ".Substring("
$t4 = "new Socket("
$t5 = "IPAddress ip;"
condition:
all of ($s*) or
all of ($t*)
}
rule WEBSHELL_ASPX_SportsBall : Webshell {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="
$var1 = "Result.InnerText = string.Empty;"
$var2 = "newcook.Expires = DateTime.Now.AddDays("
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""
$var6 = "<input type=\"submit\" value=\"Upload\" />"
condition:
any of ($uniq*) or
all of ($var*)
}
rule WEBSHELL_CVE_2021_27065_Webshells {
meta:
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE"
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-03-05"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
strings:
$script1 = "script language" ascii wide nocase
$script2 = "page language" ascii wide nocase
$script3 = "runat=\"server\"" ascii wide nocase
$script4 = "/script" ascii wide nocase
$externalurl = "externalurl" ascii wide nocase
$internalurl = "internalurl" ascii wide nocase
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
condition:
filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
strings:
$s1 = "runat=\"server\">void Page_Load(object" ascii wide
$s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide
condition:
filesize < 50KB and
all of them
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
strings:
$s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase
$s2 = ".FromBase64String(" ascii wide nocase
$s3 = "eval(System.Text.Encoding." ascii wide nocase
condition:
filesize < 850 and
all of them
}
rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 {
meta:
description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt."
author = "Florian Roth"
reference = "https://twitter.com/cyb3rops/status/1368471533048446976"
date = "2021-03-07"
score = 50
strings:
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide
condition:
uint16(0) == 0xfeff and
filesize < 8KB and
all of them
}
sources:
- precondition:
SELECT OS From info() where OS = 'windows'
query: |
-- check which Yara to use
LET yara <= if(condition=YaraUrl,
then= { SELECT Content FROM http_client( url=YaraUrl, method='GET') },
else= if(condition=ShortHandYara,
then= { SELECT ShortHandYara as Content FROM scope() },
else= { SELECT YaraRule as Content FROM scope() }))
-- first find all files with relevant extension in mft
LET files = SELECT IsDir,
split(string=MFTPath,sep='\\$')[0] + FullPath as FullPath
FROM Artifact.Windows.NTFS.MFT(MFTFilename=SearchMFT,AllDrives=AllDrives,
PathRegex=PathRegex,SizeMax=SizeMax, SizeMin=SizeMin)
WHERE NOT IsDir
-- scan files - only report a single hit.
LET hits = SELECT * FROM foreach(row=files,
query={
SELECT
FileName as FullPath,
File.Size AS Size,
File.ModTime AS ModTime,
Rule, Tags, Meta,
str(str=String.Data) AS HitContext,
String.Offset AS HitOffset
FROM yara(rules=yara.Content[0],files=FullPath)
LIMIT 1
})
-- upload files that hit
LET upload_hits=SELECT *,
upload(file=FullPath) AS Upload
FROM hits
-- return rows
SELECT * FROM if(condition=UploadHits,
then=upload_hits,
else=hits)
Raw
HafniumApt
# Find updated rules direct from source or copy paste URL below into the YaraUrl field
# https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/apt_hafnium.yar
rule WEBSHELL_ASP_Embedded_Mar21_1 {
meta:
description = "Detects ASP webshells"
author = "Florian Roth"
reference = "Internal Research"
date = "2021-03-05"
score = 85
strings:
$s1 = "<script runat=\"server\">" nocase
$s2 = "new System.IO.StreamWriter(Request.Form["
$s3 = ".Write(Request.Form["
condition:
filesize < 100KB and all of them
}
rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1 {
meta:
description = "Detects HAFNIUM SecChecker webshell"
author = "Florian Roth"
reference = "https://twitter.com/markus_neis/status/1367794681237667840"
date = "2021-03-05"
hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0"
strings:
$x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii
$x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword
condition:
uint16(0) == 0x253c and
filesize < 1KB and
1 of them or 2 of them
}
rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-02"
strings:
$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword
$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword
$s3 = "powercat.ps1'); powercat -c" ascii wide fullword
condition:
1 of them
}
rule APT_WEBSHELL_HAFNIUM_Chopper_WebShell: APT Hafnium WebShell {
meta:
description = "Detects Chopper WebShell Injection Variant (not only Hafnium related)"
author = "Markus Neis,Swisscom"
date = "2021-03-05"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$x1 = "runat=\"server\">" nocase
$s1 = "<script language=\"JScript\" runat=\"server\">function Page_Load(){eval(Request" nocase
$s2 = "protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[\"p\"] , false, Encoding.Default);sw.Write(Request.Form[\"f\"]);"
$s3 = "<script language=\"JScript\" runat=\"server\"> function Page_Load(){eval (Request[\"" nocase
condition:
filesize < 10KB and $x1 and 1 of ($s*)
}
rule APT_WEBSHELL_Tiny_WebShell : APT Hafnium WebShell {
meta:
description = "Detects WebShell Injection"
author = "Markus Neis,Swisscom"
hash = "099c8625c58b315b6c11f5baeb859f4c"
date = "2021-03-05"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$x1 = "<%@ Page Language=\"Jscript\" Debug=true%>"
$s1 = "=Request.Form(\""
$s2 = "eval("
condition:
filesize < 300 and all of ($s*) and $x1
}
rule HKTL_PS1_PowerCat_Mar21 {
meta:
description = "Detects PowerCat hacktool"
author = "Florian Roth"
reference = "https://github.com/besimorhino/powercat"
date = "2021-03-02"
hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2"
strings:
$x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword
$x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword
$s1 = "Returning Encoded Payload..." ascii
$s2 = "$CommandToExecute =" ascii fullword
$s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii
condition:
uint16(0) == 0x7566 and
filesize < 200KB and
1 of ($x*) or 3 of them
}
rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine {
meta:
description = "Detects PowerShell Oneliner in Nishang's repository"
author = "Florian Roth"
reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1"
date = "2021-03-03"
hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32"
strings:
$s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide
$s2 = ".GetStream();[byte[]]$" ascii wide
$s3 = "New-Object Net.Sockets.TCPClient('" ascii wide
condition:
all of them
}
rule WEBSHELL_ASPX_SimpleSeeSharp : Webshell Unclassified {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "A simple ASPX Webshell that allows an attacker to write further files to disk."
hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$header = "<%@ Page Language=\"C#\" %>"
$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"
condition:
$header at 0 and
$body and
filesize < 1KB
}
rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "variation on reGeorgtunnel"
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"
strings:
$s1 = "System.Net.Sockets"
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"
$t1 = ".Split('|')"
$t2 = "Request.Headers.Get"
$t3 = ".Substring("
$t4 = "new Socket("
$t5 = "IPAddress ip;"
condition:
all of ($s*) or
all of ($t*)
}
rule WEBSHELL_ASPX_SportsBall : Webshell {
meta:
author = "threatintel@volexity.com"
date = "2021-03-01"
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
strings:
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="
$var1 = "Result.InnerText = string.Empty;"
$var2 = "newcook.Expires = DateTime.Now.AddDays("
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""
$var6 = "<input type=\"submit\" value=\"Upload\" />"
condition:
any of ($uniq*) or
all of ($var*)
}
rule WEBSHELL_CVE_2021_27065_Webshells {
meta:
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE"
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-03-05"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
strings:
$script1 = "script language" ascii wide nocase
$script2 = "page language" ascii wide nocase
$script3 = "runat=\"server\"" ascii wide nocase
$script4 = "/script" ascii wide nocase
$externalurl = "externalurl" ascii wide nocase
$internalurl = "internalurl" ascii wide nocase
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
condition:
filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
strings:
$s1 = "runat=\"server\">void Page_Load(object" ascii wide
$s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide
condition:
filesize < 50KB and
all of them
}
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4 {
meta:
description = "Detects HAFNIUM ASPX files dropped on compromised servers"
author = "Florian Roth"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
date = "2021-03-07"
score = 85
strings:
$s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase
$s2 = ".FromBase64String(" ascii wide nocase
$s3 = "eval(System.Text.Encoding." ascii wide nocase
condition:
filesize < 850 and
all of them
}
rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 {
meta:
description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt."
author = "Florian Roth"
reference = "https://twitter.com/cyb3rops/status/1368471533048446976"
date = "2021-03-07"
score = 50
strings:
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide
condition:
uint16(0) == 0xfeff and
filesize < 8KB and
all of them
}
Raw
HafniumLogs
# yar riles for IIS / Exhcnage logs use URL if connectivity
# Find updated rules direct from source or copy paste URL below into the YaraUrl field
# https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium_log_sigs.yar
rule EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065"
author = "Florian Roth"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-02"
strings:
$s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword
condition:
1 of them
}
rule EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858"
author = "Florian Roth"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-02"
score = 65
modified = "2021-03-04"
strings:
$xr1 = /POST (\/owa\/auth\/Current\/themes\/resources\/logon\.css|\/owa\/auth\/Current\/themes\/resources\/owafont_ja\.css|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif|\/owa\/auth\/Current\/themes\/resources\/owafont_ko\.css|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiBold\.eot|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiLight\.ttf|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif)/
condition:
$xr1
}
rule LOG_APT_HAFNIUM_Exchange_Log_Traces_Mar21_1 : LOG {
meta:
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity"
author = "Florian Roth"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-04"
score = 65
strings:
$xr1 = /POST \/(ecp\/y\.js|ecp\/main\.css|ecp\/default\.flt)[^\n]{100,600} (200|301|302) /
$xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1\.0;\+\(\+http:\/\/duckduckgo\.com\/duckduckbot\.html\)|facebookexternalhit\/1\.1\+\(\+http:\/\/www\.facebook\.com\/externalhit_uatext\.php\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\)|Mozilla\/5\.0\+\(compatible;\+Bingbot\/2\.0;\+\+http:\/\/www\.bing\.com\/bingbot\.htm\)|Mozilla\/5\.0\+\(compatible;\+Googlebot\/2\.1;\+\+http:\/\/www\.google\.com\/bot\.html|Mozilla\/5\.0\+\(compatible;\+Konqueror\/3\.5;\+Linux\)\+KHTML\/3\.5\.5\+\(like\+Gecko\)\+\(Exabot-Thumbnails\)|Mozilla\/5\.0\+\(compatible;\+Yahoo!\+Slurp;\+http:\/\/help\.yahoo\.com\/help\/us\/ysearch\/slurp\)|Mozilla\/5\.0\+\(compatible;\+YandexBot\/3\.0;\+\+http:\/\/yandex\.com\/bots\)|Mozilla\/5\.0\+\(X11;\+Linux\+x86_64\)\+AppleWebKit\/537\.36\+\(KHTML,\+like\+Gecko\)\+Chrome\/51\.0\.2704\.103\+Safari\/537\.3)/
$xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0\.0\.0\.0|python-requests\/2\.19\.1|python-requests\/2\.25\.1)[^\n]{200,600} (200|301|302) /
$xr5 = /POST \/(aspnet_client|owa)\/[^\n]{100,600} (antSword\/v2\.1|Googlebot\/2\.1\+\(\+http:\/\/www\.googlebot\.com\/bot\.html\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\))[^\n]{200,600} (200|301|302) /
condition:
1 of them
}
Raw
HafniumOther
rule WEBSHELL_APT_EDR_Guardrails {
meta:
description = "Detects EDR guardrails in a Webshell"
author = "Matt Green @mgreen27"
reference = "https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/content/strings"
date = "2021-03-05"
strings:
$rail1 = /System\.IO\.File\.Exists\(\"c:\\\\program files \(x86\)\\\\fireeye\\\\xagt.exe/
$rail2 = /System\.IO\.File\.Exists\(\"c:\\\\program files\\\\confer\\\\eula.txt/
$rail3 = /System\.IO\.File\.Exists\(\"c:\\\\program files\\\\crowdstrike\\\\csfalconservice\.exe/
condition:
any of them
}
rule LOG_APT_HAFNIUM_IIS_Log_IP_Mar21 {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions"
author = "Matt Green @mgreen27"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-04"
strings:
$ip = /103\.77\.192\.219|104\.140\.114\.110|104\.250\.191\.110|108\.61\.246\.56|149\.28\.14\.163|157\.230\.221\.198|167\.99\.168\.251|185\.250\.151\.72|192\.81\.208\.169|203\.160\.69\.66|211\.56\.98\.146|5\.254\.43\.18|5\.2\.69\.14|80\.92\.205\.81|91\.192\.103\.43/
condition:
$ip
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment