-
-
Save eduardomcm/8b9e0de8cb9b40dfdda52f655005f678 to your computer and use it in GitHub Desktop.
HAFNIUM Webshell VQL
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Custom.Packs.HAFNIUM.Windows.WebshellSearch | |
author: Matt Green - @mgreen27 | |
description: | | |
This artifact will hunt for Webshells associated with the HAFNIUM campaign as | |
reported by Microsoft and Volexity. | |
The default artifact will discover all ASPX files on C: then run a preconfigured | |
yara rule. Yara can be supplied by the YaraRule parameter or alternatively a | |
URL can be set to enable download of remote rule set. | |
To target exchange / IIS logs, add PathRegex, paste full yar set with additional | |
indicators. | |
Some examples of path regex may include: | |
Generic Exchange/IIS logs: (inetpub|Exchange).+.log$ | |
Multiple extensions: \.(php|aspx|resx|asmx)$ | |
Extension at a path: Folder/Folder/.+\.log$ | |
More wildcards: Folder/.+/.+\.log$ | |
Specific file: Folder/Filename\.log$ | |
Note: no drive and forward slashes. | |
Modify SearchMFT for non C drive or select AllDrives feature. | |
There are 3 kinds of Yara rules that can be deployed: | |
1. Url link to a yara rule. | |
2. Shorthand yara in the format "wide nocase ascii:string1,string2,string3". | |
3. or a Standard Yara rule attached as a parameter. | |
Only one method of Yara will be applied and search order is as above. | |
reference: | |
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ | |
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ | |
- https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/apt_hafnium.yar | |
- https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium_log_sigs.yar | |
type: CLIENT | |
parameters: | |
- name: PathRegex | |
description: Only file names that match this regular expression will be scanned. | |
default: \.(php|aspx|resx|asmx)$ | |
- name: SearchMFT | |
description: "Target drive MFT. Default is a C:" | |
default: "C:/$MFT" | |
- name: SizeMax | |
default: | |
- name: SizeMin | |
default: | |
- name: AllDrives | |
type: bool | |
- name: UploadHits | |
type: bool | |
- name: YaraUrl | |
description: If configured will attempt to download Yara rules from Url | |
default: | |
- name: ShortHandYara | |
description: Second option Yara choice is a Velociraptor shorthand Yara rule | |
default: | |
- name: YaraRule | |
description: Final Yara option and the default if no other options provided. | |
default: | | |
rule WEBSHELL_ASP_Embedded_Mar21_1 { | |
meta: | |
description = "Detects ASP webshells" | |
author = "Florian Roth" | |
reference = "Internal Research" | |
date = "2021-03-05" | |
score = 85 | |
strings: | |
$s1 = "<script runat=\"server\">" nocase | |
$s2 = "new System.IO.StreamWriter(Request.Form[" | |
$s3 = ".Write(Request.Form[" | |
condition: | |
filesize < 100KB and all of them | |
} | |
rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1 { | |
meta: | |
description = "Detects HAFNIUM SecChecker webshell" | |
author = "Florian Roth" | |
reference = "https://twitter.com/markus_neis/status/1367794681237667840" | |
date = "2021-03-05" | |
hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0" | |
strings: | |
$x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii | |
$x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword | |
condition: | |
uint16(0) == 0x253c and | |
filesize < 1KB and | |
1 of them or 2 of them | |
} | |
rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 { | |
meta: | |
description = "Detects forensic artefacts found in HAFNIUM intrusions" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-02" | |
strings: | |
$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword | |
$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword | |
$s3 = "powercat.ps1'); powercat -c" ascii wide fullword | |
condition: | |
1 of them | |
} | |
rule APT_WEBSHELL_HAFNIUM_Chopper_WebShell: APT Hafnium WebShell { | |
meta: | |
description = "Detects Chopper WebShell Injection Variant (not only Hafnium related)" | |
author = "Markus Neis,Swisscom" | |
date = "2021-03-05" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$x1 = "runat=\"server\">" nocase | |
$s1 = "<script language=\"JScript\" runat=\"server\">function Page_Load(){eval(Request" nocase | |
$s2 = "protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[\"p\"] , false, Encoding.Default);sw.Write(Request.Form[\"f\"]);" | |
$s3 = "<script language=\"JScript\" runat=\"server\"> function Page_Load(){eval (Request[\"" nocase | |
condition: | |
filesize < 10KB and $x1 and 1 of ($s*) | |
} | |
rule APT_WEBSHELL_Tiny_WebShell : APT Hafnium WebShell { | |
meta: | |
description = "Detects WebShell Injection" | |
author = "Markus Neis,Swisscom" | |
hash = "099c8625c58b315b6c11f5baeb859f4c" | |
date = "2021-03-05" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$x1 = "<%@ Page Language=\"Jscript\" Debug=true%>" | |
$s1 = "=Request.Form(\"" | |
$s2 = "eval(" | |
condition: | |
filesize < 300 and all of ($s*) and $x1 | |
} | |
rule HKTL_PS1_PowerCat_Mar21 { | |
meta: | |
description = "Detects PowerCat hacktool" | |
author = "Florian Roth" | |
reference = "https://github.com/besimorhino/powercat" | |
date = "2021-03-02" | |
hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2" | |
strings: | |
$x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword | |
$x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword | |
$s1 = "Returning Encoded Payload..." ascii | |
$s2 = "$CommandToExecute =" ascii fullword | |
$s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii | |
condition: | |
uint16(0) == 0x7566 and | |
filesize < 200KB and | |
1 of ($x*) or 3 of them | |
} | |
rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine { | |
meta: | |
description = "Detects PowerShell Oneliner in Nishang's repository" | |
author = "Florian Roth" | |
reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1" | |
date = "2021-03-03" | |
hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32" | |
strings: | |
$s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide | |
$s2 = ".GetStream();[byte[]]$" ascii wide | |
$s3 = "New-Object Net.Sockets.TCPClient('" ascii wide | |
condition: | |
all of them | |
} | |
rule WEBSHELL_ASPX_SimpleSeeSharp : Webshell Unclassified { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "A simple ASPX Webshell that allows an attacker to write further files to disk." | |
hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$header = "<%@ Page Language=\"C#\" %>" | |
$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine" | |
condition: | |
$header at 0 and | |
$body and | |
filesize < 1KB | |
} | |
rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "variation on reGeorgtunnel" | |
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928" | |
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx" | |
strings: | |
$s1 = "System.Net.Sockets" | |
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get" | |
$t1 = ".Split('|')" | |
$t2 = "Request.Headers.Get" | |
$t3 = ".Substring(" | |
$t4 = "new Socket(" | |
$t5 = "IPAddress ip;" | |
condition: | |
all of ($s*) or | |
all of ($t*) | |
} | |
rule WEBSHELL_ASPX_SportsBall : Webshell { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system." | |
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form" | |
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=" | |
$var1 = "Result.InnerText = string.Empty;" | |
$var2 = "newcook.Expires = DateTime.Now.AddDays(" | |
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();" | |
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\"" | |
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\"" | |
$var6 = "<input type=\"submit\" value=\"Upload\" />" | |
condition: | |
any of ($uniq*) or | |
all of ($var*) | |
} | |
rule WEBSHELL_CVE_2021_27065_Webshells { | |
meta: | |
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE" | |
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)" | |
date = "2021-03-05" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
strings: | |
$script1 = "script language" ascii wide nocase | |
$script2 = "page language" ascii wide nocase | |
$script3 = "runat=\"server\"" ascii wide nocase | |
$script4 = "/script" ascii wide nocase | |
$externalurl = "externalurl" ascii wide nocase | |
$internalurl = "internalurl" ascii wide nocase | |
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase | |
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase | |
condition: | |
filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking | |
} | |
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 { | |
meta: | |
description = "Detects HAFNIUM ASPX files dropped on compromised servers" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-07" | |
score = 85 | |
strings: | |
$s1 = "runat=\"server\">void Page_Load(object" ascii wide | |
$s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide | |
condition: | |
filesize < 50KB and | |
all of them | |
} | |
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4 { | |
meta: | |
description = "Detects HAFNIUM ASPX files dropped on compromised servers" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-07" | |
score = 85 | |
strings: | |
$s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase | |
$s2 = ".FromBase64String(" ascii wide nocase | |
$s3 = "eval(System.Text.Encoding." ascii wide nocase | |
condition: | |
filesize < 850 and | |
all of them | |
} | |
rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 { | |
meta: | |
description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt." | |
author = "Florian Roth" | |
reference = "https://twitter.com/cyb3rops/status/1368471533048446976" | |
date = "2021-03-07" | |
score = 50 | |
strings: | |
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword | |
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide | |
condition: | |
uint16(0) == 0xfeff and | |
filesize < 8KB and | |
all of them | |
} | |
sources: | |
- precondition: | |
SELECT OS From info() where OS = 'windows' | |
query: | | |
-- check which Yara to use | |
LET yara <= if(condition=YaraUrl, | |
then= { SELECT Content FROM http_client( url=YaraUrl, method='GET') }, | |
else= if(condition=ShortHandYara, | |
then= { SELECT ShortHandYara as Content FROM scope() }, | |
else= { SELECT YaraRule as Content FROM scope() })) | |
-- first find all files with relevant extension in mft | |
LET files = SELECT IsDir, | |
split(string=MFTPath,sep='\\$')[0] + FullPath as FullPath | |
FROM Artifact.Windows.NTFS.MFT(MFTFilename=SearchMFT,AllDrives=AllDrives, | |
PathRegex=PathRegex,SizeMax=SizeMax, SizeMin=SizeMin) | |
WHERE NOT IsDir | |
-- scan files - only report a single hit. | |
LET hits = SELECT * FROM foreach(row=files, | |
query={ | |
SELECT | |
FileName as FullPath, | |
File.Size AS Size, | |
File.ModTime AS ModTime, | |
Rule, Tags, Meta, | |
str(str=String.Data) AS HitContext, | |
String.Offset AS HitOffset | |
FROM yara(rules=yara.Content[0],files=FullPath) | |
LIMIT 1 | |
}) | |
-- upload files that hit | |
LET upload_hits=SELECT *, | |
upload(file=FullPath) AS Upload | |
FROM hits | |
-- return rows | |
SELECT * FROM if(condition=UploadHits, | |
then=upload_hits, | |
else=hits) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Find updated rules direct from source or copy paste URL below into the YaraUrl field | |
# https://raw.githubusercontent.com/Neo23x0/signature-base/master/yara/apt_hafnium.yar | |
rule WEBSHELL_ASP_Embedded_Mar21_1 { | |
meta: | |
description = "Detects ASP webshells" | |
author = "Florian Roth" | |
reference = "Internal Research" | |
date = "2021-03-05" | |
score = 85 | |
strings: | |
$s1 = "<script runat=\"server\">" nocase | |
$s2 = "new System.IO.StreamWriter(Request.Form[" | |
$s3 = ".Write(Request.Form[" | |
condition: | |
filesize < 100KB and all of them | |
} | |
rule APT_WEBSHELL_HAFNIUM_SecChecker_Mar21_1 { | |
meta: | |
description = "Detects HAFNIUM SecChecker webshell" | |
author = "Florian Roth" | |
reference = "https://twitter.com/markus_neis/status/1367794681237667840" | |
date = "2021-03-05" | |
hash1 = "b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0" | |
strings: | |
$x1 = "<%if(System.IO.File.Exists(\"c:\\\\program files (x86)\\\\fireeye\\\\xagt.exe" ascii | |
$x2 = "\\csfalconservice.exe\")){Response.Write( \"3\");}%></head>" ascii fullword | |
condition: | |
uint16(0) == 0x253c and | |
filesize < 1KB and | |
1 of them or 2 of them | |
} | |
rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 { | |
meta: | |
description = "Detects forensic artefacts found in HAFNIUM intrusions" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-02" | |
strings: | |
$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword | |
$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword | |
$s3 = "powercat.ps1'); powercat -c" ascii wide fullword | |
condition: | |
1 of them | |
} | |
rule APT_WEBSHELL_HAFNIUM_Chopper_WebShell: APT Hafnium WebShell { | |
meta: | |
description = "Detects Chopper WebShell Injection Variant (not only Hafnium related)" | |
author = "Markus Neis,Swisscom" | |
date = "2021-03-05" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$x1 = "runat=\"server\">" nocase | |
$s1 = "<script language=\"JScript\" runat=\"server\">function Page_Load(){eval(Request" nocase | |
$s2 = "protected void Page_Load(object sender, EventArgs e){System.IO.StreamWriter sw = new System.IO.StreamWriter(Request.Form[\"p\"] , false, Encoding.Default);sw.Write(Request.Form[\"f\"]);" | |
$s3 = "<script language=\"JScript\" runat=\"server\"> function Page_Load(){eval (Request[\"" nocase | |
condition: | |
filesize < 10KB and $x1 and 1 of ($s*) | |
} | |
rule APT_WEBSHELL_Tiny_WebShell : APT Hafnium WebShell { | |
meta: | |
description = "Detects WebShell Injection" | |
author = "Markus Neis,Swisscom" | |
hash = "099c8625c58b315b6c11f5baeb859f4c" | |
date = "2021-03-05" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$x1 = "<%@ Page Language=\"Jscript\" Debug=true%>" | |
$s1 = "=Request.Form(\"" | |
$s2 = "eval(" | |
condition: | |
filesize < 300 and all of ($s*) and $x1 | |
} | |
rule HKTL_PS1_PowerCat_Mar21 { | |
meta: | |
description = "Detects PowerCat hacktool" | |
author = "Florian Roth" | |
reference = "https://github.com/besimorhino/powercat" | |
date = "2021-03-02" | |
hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2" | |
strings: | |
$x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword | |
$x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword | |
$s1 = "Returning Encoded Payload..." ascii | |
$s2 = "$CommandToExecute =" ascii fullword | |
$s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii | |
condition: | |
uint16(0) == 0x7566 and | |
filesize < 200KB and | |
1 of ($x*) or 3 of them | |
} | |
rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine { | |
meta: | |
description = "Detects PowerShell Oneliner in Nishang's repository" | |
author = "Florian Roth" | |
reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1" | |
date = "2021-03-03" | |
hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32" | |
strings: | |
$s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide | |
$s2 = ".GetStream();[byte[]]$" ascii wide | |
$s3 = "New-Object Net.Sockets.TCPClient('" ascii wide | |
condition: | |
all of them | |
} | |
rule WEBSHELL_ASPX_SimpleSeeSharp : Webshell Unclassified { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "A simple ASPX Webshell that allows an attacker to write further files to disk." | |
hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$header = "<%@ Page Language=\"C#\" %>" | |
$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine" | |
condition: | |
$header at 0 and | |
$body and | |
filesize < 1KB | |
} | |
rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "variation on reGeorgtunnel" | |
hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928" | |
reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx" | |
strings: | |
$s1 = "System.Net.Sockets" | |
$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get" | |
$t1 = ".Split('|')" | |
$t2 = "Request.Headers.Get" | |
$t3 = ".Substring(" | |
$t4 = "new Socket(" | |
$t5 = "IPAddress ip;" | |
condition: | |
all of ($s*) or | |
all of ($t*) | |
} | |
rule WEBSHELL_ASPX_SportsBall : Webshell { | |
meta: | |
author = "threatintel@volexity.com" | |
date = "2021-03-01" | |
description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system." | |
hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
strings: | |
$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form" | |
$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=" | |
$var1 = "Result.InnerText = string.Empty;" | |
$var2 = "newcook.Expires = DateTime.Now.AddDays(" | |
$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();" | |
$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\"" | |
$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\"" | |
$var6 = "<input type=\"submit\" value=\"Upload\" />" | |
condition: | |
any of ($uniq*) or | |
all of ($var*) | |
} | |
rule WEBSHELL_CVE_2021_27065_Webshells { | |
meta: | |
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE" | |
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)" | |
date = "2021-03-05" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
strings: | |
$script1 = "script language" ascii wide nocase | |
$script2 = "page language" ascii wide nocase | |
$script3 = "runat=\"server\"" ascii wide nocase | |
$script4 = "/script" ascii wide nocase | |
$externalurl = "externalurl" ascii wide nocase | |
$internalurl = "internalurl" ascii wide nocase | |
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase | |
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase | |
condition: | |
filesize < 10KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking | |
} | |
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_3 { | |
meta: | |
description = "Detects HAFNIUM ASPX files dropped on compromised servers" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-07" | |
score = 85 | |
strings: | |
$s1 = "runat=\"server\">void Page_Load(object" ascii wide | |
$s2 = "Request.Files[0].SaveAs(Server.MapPath(" ascii wide | |
condition: | |
filesize < 50KB and | |
all of them | |
} | |
rule APT_MAL_ASPX_HAFNIUM_Chopper_Mar21_4 { | |
meta: | |
description = "Detects HAFNIUM ASPX files dropped on compromised servers" | |
author = "Florian Roth" | |
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" | |
date = "2021-03-07" | |
score = 85 | |
strings: | |
$s1 = "<%@Page Language=\"Jscript\"%>" ascii wide nocase | |
$s2 = ".FromBase64String(" ascii wide nocase | |
$s3 = "eval(System.Text.Encoding." ascii wide nocase | |
condition: | |
filesize < 850 and | |
all of them | |
} | |
rule APT_HAFNIUM_ForensicArtefacts_WER_Mar21_1 { | |
meta: | |
description = "Detects a Windows Error Report (WER) that indicates and exploitation attempt of the Exchange server as described in CVE-2021-26857 after the corresponding patches have been applied. WER files won't be written upon successful exploitation before applying the patch. Therefore, this indicates an unsuccessful attempt." | |
author = "Florian Roth" | |
reference = "https://twitter.com/cyb3rops/status/1368471533048446976" | |
date = "2021-03-07" | |
score = 50 | |
strings: | |
$s1 = "AppPath=c:\\windows\\system32\\inetsrv\\w3wp.exe" wide fullword | |
$s7 = ".Value=w3wp#MSExchangeECPAppPool" wide | |
condition: | |
uint16(0) == 0xfeff and | |
filesize < 8KB and | |
all of them | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# yar riles for IIS / Exhcnage logs use URL if connectivity | |
# Find updated rules direct from source or copy paste URL below into the YaraUrl field | |
# https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium_log_sigs.yar | |
rule EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 : LOG { | |
meta: | |
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065" | |
author = "Florian Roth" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
date = "2021-03-02" | |
strings: | |
$s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword | |
condition: | |
1 of them | |
} | |
rule EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1 : LOG { | |
meta: | |
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858" | |
author = "Florian Roth" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
date = "2021-03-02" | |
score = 65 | |
modified = "2021-03-04" | |
strings: | |
$xr1 = /POST (\/owa\/auth\/Current\/themes\/resources\/logon\.css|\/owa\/auth\/Current\/themes\/resources\/owafont_ja\.css|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif|\/owa\/auth\/Current\/themes\/resources\/owafont_ko\.css|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiBold\.eot|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiLight\.ttf|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif)/ | |
condition: | |
$xr1 | |
} | |
rule LOG_APT_HAFNIUM_Exchange_Log_Traces_Mar21_1 : LOG { | |
meta: | |
description = "Detects suspicious log entries that indicate requests as described in reports on HAFNIUM activity" | |
author = "Florian Roth" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
date = "2021-03-04" | |
score = 65 | |
strings: | |
$xr1 = /POST \/(ecp\/y\.js|ecp\/main\.css|ecp\/default\.flt)[^\n]{100,600} (200|301|302) / | |
$xr3 = /POST \/owa\/auth\/Current\/[^\n]{100,600} (DuckDuckBot\/1\.0;\+\(\+http:\/\/duckduckgo\.com\/duckduckbot\.html\)|facebookexternalhit\/1\.1\+\(\+http:\/\/www\.facebook\.com\/externalhit_uatext\.php\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\)|Mozilla\/5\.0\+\(compatible;\+Bingbot\/2\.0;\+\+http:\/\/www\.bing\.com\/bingbot\.htm\)|Mozilla\/5\.0\+\(compatible;\+Googlebot\/2\.1;\+\+http:\/\/www\.google\.com\/bot\.html|Mozilla\/5\.0\+\(compatible;\+Konqueror\/3\.5;\+Linux\)\+KHTML\/3\.5\.5\+\(like\+Gecko\)\+\(Exabot-Thumbnails\)|Mozilla\/5\.0\+\(compatible;\+Yahoo!\+Slurp;\+http:\/\/help\.yahoo\.com\/help\/us\/ysearch\/slurp\)|Mozilla\/5\.0\+\(compatible;\+YandexBot\/3\.0;\+\+http:\/\/yandex\.com\/bots\)|Mozilla\/5\.0\+\(X11;\+Linux\+x86_64\)\+AppleWebKit\/537\.36\+\(KHTML,\+like\+Gecko\)\+Chrome\/51\.0\.2704\.103\+Safari\/537\.3)/ | |
$xr4 = /POST \/ecp\/[^\n]{100,600} (ExchangeServicesClient\/0\.0\.0\.0|python-requests\/2\.19\.1|python-requests\/2\.25\.1)[^\n]{200,600} (200|301|302) / | |
$xr5 = /POST \/(aspnet_client|owa)\/[^\n]{100,600} (antSword\/v2\.1|Googlebot\/2\.1\+\(\+http:\/\/www\.googlebot\.com\/bot\.html\)|Mozilla\/5\.0\+\(compatible;\+Baiduspider\/2\.0;\+\+http:\/\/www\.baidu\.com\/search\/spider\.html\))[^\n]{200,600} (200|301|302) / | |
condition: | |
1 of them | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rule WEBSHELL_APT_EDR_Guardrails { | |
meta: | |
description = "Detects EDR guardrails in a Webshell" | |
author = "Matt Green @mgreen27" | |
reference = "https://www.virustotal.com/gui/file/b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0/content/strings" | |
date = "2021-03-05" | |
strings: | |
$rail1 = /System\.IO\.File\.Exists\(\"c:\\\\program files \(x86\)\\\\fireeye\\\\xagt.exe/ | |
$rail2 = /System\.IO\.File\.Exists\(\"c:\\\\program files\\\\confer\\\\eula.txt/ | |
$rail3 = /System\.IO\.File\.Exists\(\"c:\\\\program files\\\\crowdstrike\\\\csfalconservice\.exe/ | |
condition: | |
any of them | |
} | |
rule LOG_APT_HAFNIUM_IIS_Log_IP_Mar21 { | |
meta: | |
description = "Detects forensic artefacts found in HAFNIUM intrusions" | |
author = "Matt Green @mgreen27" | |
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/" | |
date = "2021-03-04" | |
strings: | |
$ip = /103\.77\.192\.219|104\.140\.114\.110|104\.250\.191\.110|108\.61\.246\.56|149\.28\.14\.163|157\.230\.221\.198|167\.99\.168\.251|185\.250\.151\.72|192\.81\.208\.169|203\.160\.69\.66|211\.56\.98\.146|5\.254\.43\.18|5\.2\.69\.14|80\.92\.205\.81|91\.192\.103\.43/ | |
condition: | |
$ip | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment