# Hafnium Exchange Vuln Detection - KQL

**pastebin.com/J4L3r2RS**

[MalwareQuinn](https://pastebin.com/u/MalwareQuinn)
Mar 5th, 2021

4,976

Never

**Not a member of Pastebin yet?** **[Sign Up, it unlocks many cool features!](https://pastebin.com/signup)**
[text 1.50 KB](https://pastebin.com/archive/text)
Copied copy [raw](https://pastebin.com/raw/J4L3r2RS) [download](https://pastebin.com/dl/J4L3r2RS) [clone](https://pastebin.com/clone/J4L3r2RS) [embed](https://pastebin.com/embed/J4L3r2RS) [print](https://pastebin.com/print/J4L3r2RS) [report](https://pastebin.com/report/J4L3r2RS)

1. let networkEvent = DeviceNetworkEvents

2. | where ActionType == "InboundConnectionAccepted" and InitiatingProcessFileName

=~ "System"

3. | extend netTimestamp = Timestamp

4. | project DeviceId, DeviceName, netTimestamp, RemoteIP, RemotePort; //Grab a table

of all accepted inbound connections, projecting the Timestamp for further manipulation

5. let shellWrite = DeviceFileEvents

6. | where ActionType == "FileCreated" and FolderPath has "inetpub" and FileName

has_any (".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml")

7. | project DeviceName, DeviceId, Timestamp, FileName, FolderPath; //Grab a table of

all created files in inetpub, with a file extension ending in ".php", ".jsp", ".js", ".aspx",
".asmx", ".asax", ".cfm", ".shtml". Projecting timestamp for further manipulation

8. DeviceFileEvents


-----

9. | where (FileName =~ applicationHost.config or FileName =~ administration.config )

and FolderPath contains "inetpub" //Grab all instances of updates to the IIS
applicationHost.config or administration.config

10. | join shellWrite on DeviceName, DeviceId

11. | join networkEvent on DeviceId, DeviceName

12. | extend time_diff = datetime_diff('second',Timestamp,Timestamp1) //create a time

differential column for shellWrite and config update

13. | extend netTimeDiff = datetime_diff('second',Timestamp1,netTimestamp) //create a

time differential column for networkEvent and the shellWrite

14. | where (time_diff <= 60 and time_diff >= 0) and (netTimeDiff <= 10 and netTimeDiff >=

0) //differential filtering for networkEvent and shellWrite

RAW Paste Data Copied


-----