1/2

Hafnium Exchange Vuln Detection - KQL
pastebin.com/J4L3r2RS

MalwareQuinn
Mar 5th, 2021

4,976

Never

Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.50 KB
Copied copy raw download clone embed print report

1. let networkEvent = DeviceNetworkEvents

2. | where ActionType == "InboundConnectionAccepted" and InitiatingProcessFileName
=~ "System"

3. | extend netTimestamp = Timestamp

4. | project DeviceId, DeviceName, netTimestamp, RemoteIP, RemotePort; //Grab a table
of all accepted inbound connections, projecting the Timestamp for further manipulation

5. let shellWrite = DeviceFileEvents

6. | where ActionType == "FileCreated" and FolderPath has "inetpub" and FileName
has_any (".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml")

7. | project DeviceName, DeviceId, Timestamp, FileName, FolderPath; //Grab a table of
all created files in inetpub, with a file extension ending in ".php", ".jsp", ".js", ".aspx",
".asmx", ".asax", ".cfm", ".shtml". Projecting timestamp for further manipulation

8. DeviceFileEvents

https://pastebin.com/J4L3r2RS
https://pastebin.com/u/MalwareQuinn
https://pastebin.com/signup
https://pastebin.com/archive/text
https://pastebin.com/raw/J4L3r2RS
https://pastebin.com/dl/J4L3r2RS
https://pastebin.com/clone/J4L3r2RS
https://pastebin.com/embed/J4L3r2RS
https://pastebin.com/print/J4L3r2RS
https://pastebin.com/report/J4L3r2RS


2/2

9. | where (FileName =~ "applicationHost.config" or FileName =~ "administration.config")
and FolderPath contains "inetpub" //Grab all instances of updates to the IIS
applicationHost.config or administration.config

10. | join shellWrite on DeviceName, DeviceId

11. | join networkEvent on DeviceId, DeviceName

12. | extend time_diff = datetime_diff('second',Timestamp,Timestamp1) //create a time
differential column for shellWrite and config update

13. | extend netTimeDiff = datetime_diff('second',Timestamp1,netTimestamp) //create a
time differential column for networkEvent and the shellWrite

14. | where (time_diff <= 60 and time_diff >= 0) and (netTimeDiff <= 10 and netTimeDiff >=
0) //differential filtering for networkEvent and shellWrite

RAW Paste Data Copied