{ "id": "fa18b8f9-60ee-40f7-a879-92f542dbbccd", "created_at": "2026-04-06T00:16:48.405555Z", "updated_at": "2026-04-10T03:35:48.595213Z", "deleted_at": null, "sha1_hash": "5c13a3c9d8dbd3c81723343c6c214a811f5ee27e", "title": "Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to Target Microsoft Exchange Servers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 315860, "plain_text": "Tactics, Techniques, and Procedures (TTPs) Used by HAFNIUM to\r\nTarget Microsoft Exchange Servers\r\nBy Suleyman Ozarslan, PhD\r\nPublished: 2021-03-10 · Archived: 2026-04-05 16:29:50 UTC\r\nExecutive Summary\r\nMicrosoft released four out-of-band security updates on March 2, 2021 [1]. The usual reason for releasing an out-of-band update is the appearance of active and widespread exploitation of a 0-day vulnerability. In this case, these\r\nupdates address 0-day vulnerabilities affecting Microsoft Exchange Server products that allow threat actors to read\r\nsensitive information in emails, take control of the target server, collect and exfiltrate data from the compromised\r\nserver, and move laterally to other systems in the network.\r\nThe threat group that exploits Microsoft Exchange Server vulnerabilities is dubbed HAFNIUM by Microsoft [2]\r\nand the attack campaign is named Operation Exchange Marauder by Volexity [3]. Although the HAFNIUM threat\r\ngroup primarily targets defense, higher education, and health sectors in the United States, these zero-days affect\r\nunpatched Microsoft Exchange Servers worldwide. For example, The European Banking Authority (EBA) has\r\nannounced that it has been the subject of a cyber-attack against its Microsoft Exchange Servers [4]. As another\r\nexample, an incident due to these vulnerabilities is reported in Denmark [5].\r\nIn this article, we analyzed Tactics, Techniques, and Procedures (TTPs) utilized by the HAFNIUM threat actor to\r\nunderstand their attack methods and the impact of this breach. We also give mitigation and detection suggestions\r\nand relevant IOCs for this cyber attack campaign.\r\nKey Findings\r\nTimeline: The attack campaign was detected first in January 2021 [3]. Microsoft released updates on\r\nMarch 2, 2021, and Volexity and Microsoft published blog posts on the same day. The European Banking\r\nAuthority (EBA) announced the breach on March 7, 2021. \r\nPrevalence: The attack campaign has the potential to affect thousands of public and private organizations.\r\nAttack Lifecycle: Attack starts with reconnaissance of vulnerable Exchange servers and resumes with\r\nexploiting a vulnerability (CVE-2021-26855) to exploit other vulnerabilities (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). Then, the adversary uploads web shells using these vulnerabilities and\r\nexecutes malicious commands with uploaded web shells. In the post-exploitation phase, the adversary\r\ncollects and exfiltrates data, dumps credentials, and moves laterally.\r\nImpact: Threat actors read sensitive information in mailboxes of users, compromise the victim server,\r\ndump local credentials, add user accounts, dump Active Directory database (NTDS.DIT), and move\r\nlaterally to other systems in the network.\r\nExploitability: Exploits are available, and all of the vulnerabilities are being exploited by adversaries.\r\nExploits can be run remotely and do not require authentication.\r\nPriority:  Security teams must treat them with the highest priority.\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 1 of 17\n\nAffected Versions: Microsoft Exchange 2019, 2016, 2013, 2010\r\nMitigation: Microsoft Exchange Servers must be patched as soon as possible.\r\nInterim Mitigations: If you are unable to patch Exchange servers, implement IIS rewrite rules provided by\r\nMicrosoft and disable UM, ECP, VDir, and OAB VDir Services [6].\r\nDetection: Scan Exchange server logs and paths for released IOCs. You can use\r\nSigma/QRadar/Splunk/Arcsight detection rules released by Picus.\r\nVulnerabilities and Affected Exchange Servers\r\nThe Exploited Zero-Day Vulnerabilities and Their Impacts\r\nCurrently, the following vulnerabilities are exploited by adversaries: \r\nCVE Impact Vulnerability Type\r\nCVSS 3.0\r\nBase Score\r\nCVE-2021-\r\n26855 [7]\r\nGain access to mailboxes, read the full\r\ncontents.\r\nSSRF (Server-Side Request\r\nForgery)\r\n9.1 Critical\r\nCVE-2021-\r\n26857 [8] \r\nArbitrary code execution as SYSTEM\r\nuser, compromise the system\r\nInsecure Deserialization 7.8 High\r\nCVE-2021-\r\n26858 [9] \r\nArbitrary code execution, compromise\r\nthe system\r\nPost-Authentication\r\nArbitrary File Write\r\n7.8 High\r\nCVE-2021-\r\n27065 [10] \r\nArbitrary code execution, compromise\r\nthe system\r\nPost-Authentication\r\nArbitrary File Write\r\n7.8 High\r\nAlthough CVSS 3.0 score of the CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065  vulnerabilities is\r\n“7.8 High”, not “Critical”, when chained with the vulnerability CVE-2021-26855, these vulnerabilities enable the\r\nattacker to compromise the target Exchange server.\r\nAffected Microsoft Exchange Server Versions\r\nVersion Status Mitigation\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 2 of 17\n\nExchange 2019 Affected (all CVEs) Immediately deploy the updates.\r\nExchange 2016 Affected (all CVEs) Immediately deploy the updates.\r\nExchange 2013 Affected (all CVEs) Immediately deploy the updates.\r\nExchange 2010 Affected (CVE-2021-26857) Immediately deploy the updates.\r\nExchange 2007\r\nUnknown, stated as ”not believed to be\r\naffected” by Microsoft [1].\r\nUnsupported version by Microsoft.\r\nUpgrade to a supported version.\r\nExchange 2003\r\nUnknown, stated as ”not believed to be\r\naffected” by Microsoft [1].\r\nUnsupported version by Microsoft.\r\nUpgrade to a supported version.\r\nExchange Online /\r\nOffice 365\r\nNot Affected  \r\nTactics, Techniques, and Procedures (TTPs) utilized by HAFNIUM\r\nHAFNIUM uses 11 of 14 tactics in the MITRE ATT\u0026CK framework. You can create an adversary emulation plan\r\nusing techniques and sub-techniques given below to validate your security controls against the HAFNIUM threat\r\ngroup. Picus Threat database includes an APT adversary emulation scenario for HAFNIUM along with 700+ other\r\nattack scenarios and 10000+ network and endpoint attack emulations. Some actions of the HAFNIUM adversary\r\nemulation scenario in Picus is shown below.\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 3 of 17\n\n1. Reconnaissance\r\nThe Reconnaissance tactic of the MITRE ATT\u0026CK framework includes techniques involving adversaries to\r\ncollect information actively and passively before compromising a victim [11]. Attackers use this information to\r\nuse in other phases of the attack lifecycle, such as Initial Access as used by HAFNIUM.\r\n      1.1 MITRE ATT\u0026CK T1592.002 Gather Victim Host Information: Software\r\nThe HAFNIUM threat actor determines whether an Exchange server is running on the machine, and if so, which\r\nversion is running [1]. Adversaries collect information about installed software on a victim machine, which may\r\nbe used for targeting [12].\r\n2. Resource Development\r\nThe Resource Development tactic includes techniques involving adversaries to create, purchase, or compromise\r\nresources such as infrastructure, accounts, or capabilities [13]. They develop these resources before compromising\r\nthe victim and leverage them to utilize in other phases, such as using leased Virtual Private Servers to support\r\nCommand and Control.\r\n     2.1 MITRE ATT\u0026CK T1583.003 Acquire Infrastructure: Virtual Private Server\r\nHAFNIUM uses leased Virtual Private Servers (VPSs) in the United States to operate its threat campaign [1].\r\nAdversaries rent VPSs to make it difficult to bind operations back to them physically [14]. They are also enabled\r\nto swiftly provision, modify, and shut down their infrastructure through VPSs.\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 4 of 17\n\n2.2 MITRE ATT\u0026CK T1588.002 Obtain Capabilities: Tool\r\nAdversaries obtain tools in cyberattacks to support their operations [15]. These tools can be free or commercial,\r\nopen or closed source. The HAFNIUM threat group uses the following tools to help its post-compromise\r\nbehaviors.\r\nTool Description\r\nProcdump\r\nProcdump is a command-line utility that is a part of the Microsoft Sysinternals suite.\r\nAlthough its primary purpose is monitoring an application for CPU spikes and\r\ngenerating crash dumps to determine the cause of the spike, it can be used to dump\r\nthe memory of a process [16].\r\nNishang\r\nNishang is a collection of scripts and payloads which  using PowerShell for\r\npenetration testing and red teaming. It can be categorized as a PowerShell post-exploitation framework [17]. Copy-VSS PowerShell script of Nishang can be used to\r\ncopy the SAM file and dump credentials [16]. Advanced Persistent Threat (APT)\r\ngroups are heavily using Nishang in their operations [17].\r\nPowerCat\r\nPowerCat is an open-source PowerShell script that can read and write data across\r\nnetwork connections like the famous Netcat tool [18].\r\nPsExec\r\nPsExec is a legitimate Microsoft tool and a part of Windows Sysinternals utilities\r\n[19].  PsExec can execute commands and binaries on remote systems and download\r\nor upload a file over a network share. Attackers like Nefilim and LockerGoga\r\nransomware gangs utilize PsExec for lateral movement [20] [21].\r\nCovenant\r\nCovenant is an open-source Command and Control (C2) framework written in\r\n.NET [22]. \r\nSIMPLESEESHARP\r\nSIMPLESEESHARP is a simple ASPX web shell used by the HAFNIUM to write\r\nadditional files to disk, such as the SPORTSBALL web shell [3].\r\nSPORTSBALL\r\nSPORTSBALL is a more extensive web shell used by HAFNIUM to upload files or\r\nexecute commands on the system [3].\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 5 of 17\n\nChina Chopper\r\nChina Chopper is a web shell that provides access back into the victim system and\r\nis used by several threat groups [23].\r\nASPXSPY\r\nASPXSpy is a publicly available web shell used by several threat groups, such as\r\nThreat Group 3390 [24].\r\n7-Zip HAFNIUM uses 7-Zip to compress data to be exfiltrated.\r\nWinrar HAFNIUM uses WinRar to compress data prior to exfiltration.\r\nExchange Snap-ins HAFNIUM uses Exchange PowerShell snap-ins to export data in mailboxes [2].\r\n3. Initial Access\r\nThe Initial Access tactic includes techniques used by attackers to gain an initial foothold within a network, such as\r\nexploiting vulnerabilities on public-facing web servers [25].\r\n    3.1 MITRE ATT\u0026CK T1190  Exploit Public-Facing Application\r\nAdversaries exploit vulnerabilities in Internet-facing software, such as web servers, to gain access to the host [26].\r\nHAFNIUM exploits CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065\r\nvulnerabilities in the Internet-facing and vulnerable Microsoft Exchange servers for initial access [2] [3].\r\n4. Execution\r\n    4.1 T1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nWeb shells used by the HAFNIUM threat group, such as China Chopper [27], allow adversaries to execute\r\ncommands on the victim server using Windows Command Shell (cmd.exe), the primary command prompt on\r\nWindows systems.\r\nEnroll in the free “MITRE ATT\u0026CK Windows Command Shell” course in Purple Academy to learn how\r\nadversaries operate Windows Command Shell in their attacks and red and blue team exercises.\r\nRead our blog post about the Windows Command Shell (Command Line Interface) technique.\r\n5. Persistence\r\nThe Persistence tactic consists of techniques used by adversaries to maintain their foothold across system restarts,\r\nchanged credentials, or patched vulnerabilities [28].\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 6 of 17\n\n5.1 MITRE ATT\u0026CK T1505.003 Server Software Component: Web Shell\r\nAdversaries use web shells, web scripts placed on web servers,  as backdoors to establish persistency on the target\r\nserver [29]. HAFNIUM utilize the following web shells as mentioned in the “T1588.002 Obtain Capabilities:\r\nTool” technique:\r\nSIMPLESEESHARP\r\nSPORTSBALL\r\nChina Chopper\r\nASPXSPY\r\n    5.2 MITRE ATT\u0026CK T1136.002 Create Account: Domain Account\r\nAdversaries, such as HAFNIUM, add new domain accounts and grant privileges to these accounts to maintain\r\naccess in the future [3].\r\n6. Defense Evasion\r\nDefense evasion consists of techniques that are used by adversaries to avoid detection by security controls.\r\n    6.1 T1036.005 Masquerading: Match Legitimate Name or Location\r\nAdversaries may masquerade names/locations of their artifacts as identical or similar names/locations of\r\nlegitimate files to evade monitoring and detection [30]. HAFNIUM masquerade names of deployed web shells as\r\nidentical or similar names of legitimate files, such as log.aspx, logout.aspx, default.aspx, errorPage.aspx, and\r\nserver.aspx. You can find the list of used web shell filenames in the Indicators of Compromise (IoC) list at the end\r\nof this article. \r\nEnroll in the free and practical “MITRE ATT\u0026CK Masquerading” course in Purple Academy to learn all\r\nsub-techniques of this technique with red and blue team exercises:  \r\nRead our blog post about the Masquerading technique.\r\n7. Credential Access\r\nThe Credential Access tactic includes techniques used by adversaries to steal account usernames and passwords.\r\n    7.1 MITRE ATT\u0026CK T1003.001 - OS Credential Dumping: LSASS Memory\r\nThere are many information sources targeted by attackers to dump credentials. As one of them, The Local Security\r\nAuthority Subsystem Service (LSASS) stores credentials of the logged-in users in memory to provide seamless\r\naccess to network resources without re-entering their credentials [16]. Adversaries interact with the lsass.exe\r\nprocess and dump its memory to obtain credentials. Several methods and tools can be utilized to dump credentials\r\nin memory. The HAFNIUM threat actor uses Procdump to dump the LSASS process memory and gather\r\ncredentials. An example ProcDump command to dump credentials in this given below:\r\nC:\\temp\u003eprocdump.exe -accepteula -ma lsass.exe lsass.dmp\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 7 of 17\n\n7.2 T1003.003 OS Credential Dumping: NTDS\r\nHAFNIUM creates and steals copies of the NTDS.dit file using deployed web shells [3]. The NTDS.dit file is the\r\nActive Directory Domain Services (AD DS) database that contains AD data, including information about user\r\nobjects, groups, and group membership. NTDS.dit database also includes the password hashes for all users in the\r\ndomain.\r\nEnroll in the free “MITRE ATT\u0026CK OS Credential Dumping” course in Purple Academy to learn 11 ways\r\nfor credential dumping with practical red team exercises:\r\nRead our blog post about the OS Credential Dumping technique. \r\n8. Lateral Movement\r\nThe Lateral Movement tactic includes techniques that are used by adversaries to access and control remote\r\nsystems (lateral movement) on the target network [31].\r\n    8.1 MITRE ATT\u0026CK T1021.002 - Remote Services: SMB/Windows Admin Shares\r\nHafnium uses PsExec to move laterally through the target environment [3]. PsExec is a legitimate Windows\r\nSysInternals tool used by attackers to run commands on the remote system by leveraging network shares or valid\r\naccounts [32].\r\n9. Collection\r\nThe Collection tactic consists of techniques used by adversaries to gather the information that is relevant to their\r\nobjectives.\r\n    9.1 MITRE ATT\u0026CK T1560.001 - Archive Collected Data: Archive via Utility\r\nAdversaries may use several utilities such as 7-Zip, WinRAR, and WinZip to compress or encrypt data before\r\nexfiltration [33]. Among these utilities, HAFNIUM uses WinRar and 7-Zip to compress data to be exfiltrated.\r\n    9.2. MITRE ATT\u0026CK T1114.002 - Email Collection: Remote Email Collection\r\nAdversaries may access external-facing Exchange services to access emails and collect sensitive information by\r\nleveraging valid accounts, access tokens, or remote exploits [34]. HAFNIUM adds and uses Exchange PowerShell\r\nsnap-ins to export data in mailboxes [2].\r\n10. Command and Control\r\nThe Command and Control (C2) tactic consists of techniques used by adversaries to communicate with\r\ncompromised systems within a victim network [35].\r\n    10.1 MITRE ATT\u0026CK T1071.001 - Application Layer Protocol: Web Protocols\r\nThe HAFNIUM threat group communicates with deployed web shells using application-layer web protocols\r\n(HTTP/HTTPS). Adversaries use these protocols for C2 to avoid detection and network filtering [36].\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 8 of 17\n\n11. Exfiltration\r\n    11.1 MITRE ATT\u0026CK T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage\r\nAdversaries may exfiltrate data to cloud storage that allows upload, modify and retrieve files. HAFNIUM\r\nexfiltrates collected data to cloud file sharing like MEGA.io [2].\r\nCountermeasures by Picus\r\nBuilt on technology alliances, Picus Mitigation Library delivers immediate value by providing mitigation insights\r\nin Network Security, Endpoint Detection and Response, and Security Information and Event Management\r\ncategories. The Picus Threat Library includes most of the stolen tools in this breach, and the Picus Mitigation\r\nLibrary contains actionable mitigation recommendations and detection rules against them. Picus Labs’ Red Team\r\nand Blue Teams are working on the missing tools and adding them and their techniques to our libraries.\r\nSo this means, Picus users have already assessed their cyber defense against most of the stolen red team tools and\r\ntheir attack techniques. And, they fixed the identified gaps using actionable recommendations provided by the\r\nPicus platform. We decided to share these actionable recommendations with the community in this article to help\r\ndefend against these tools. \r\nCountermeasures with Open-source Sigma and Snort Rules\r\nPicus Labs Blue Team develops, tests, and verifies detection rules as SIGMA, a generic and open signature format\r\nfor SIEM products, based on threats developed by Picus Labs Red Team. Also, Blue Team simulates these threats\r\nagainst Snort IPS, an open-source Intrusion Prevention System, and then analyzes the results and maps with the\r\nright signatures.\r\nIn this section, you can find the SIGMA rules and Snort signatures to defend against TTPs used by HAFNIUM to\r\ntarget Microsoft Exchange Servers. The SIGMA rule names and Snort signature categories are below as a list, but\r\ndetailed information about these contents are published in Picus Labs’ Github repository:\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 9 of 17\n\nSIGMA Rules:\r\nProcess Dumping via Procdump\r\nRemote Command Execution via Powercat\r\nSuspicious ASPX File Creation\r\nSuspicious PowerShell Invoke Expression Usage\r\nTCP Connection Creating via PowerShell Script\r\nData Collection with 7z.exe via Commandline\r\nSnort Rules:\r\nSignature Id SignatureName\r\n1.2017260.10 ET WEB_SERVER WebShell Generic - ASP File Uploaded\r\n1.57241.4 SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt\r\n1.57242.4 SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt\r\n1.57244.4 SERVER-WEBAPP Microsoft Exchange Server server side request forgery attempt\r\n1.2017260.10 ET WEB_SERVER WebShell Generic - ASP File Uploaded\r\n1.2017260.10 ET WEB_SERVER WebShell Generic - ASP File Uploaded\r\nCountermeasures with QRadar, Splunk, Carbon Black, and ArcSight\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 10 of 17\n\nPicus is working with SIEM and EDR vendors in a Technical Alliance Partnership program. Picus Labs Blue\r\nTeam develops SIEM (IBM QRadar, Splunk, Micro Focus ArcSight) and EDR (VMware Carbon Black) specific\r\ndetection rules based on the SIGMA rules defined in the chapter above. Following the development, they test and\r\nanalyze the results on each vendor environment and finalize the rules with the specific product’s query language.\r\nIn this section, you can find the IBM QRadar, Splunk, Micro Focus ArcSight, and VMware Carbon Black rules to\r\ndefend against the HAFNIUM threat group. You can find these rules in Picus Labs’ Github repository.\r\nVendor-Specific Prevention Signatures\r\nPicus is also working with network security vendors through its Technical Alliance Partnership (TAP) program.\r\nPicus Labs Blue Team simulates the threats developed by Picus Labs Red Team against TAP vendor environments\r\nand then analyzes the results and maps with the right signatures to eliminate F/P issues.\r\nIn this section, you can find the vendor-specific network prevention signatures to defend against exploits and tools\r\nused by HAFNIUM to target Microsoft Exchange Servers. The vendor and product names are given in the below\r\nlist, but detailed information about these signatures is published in Picus Labs’ Github repository.\r\nCheck Point NGFW\r\nCisco Firepower\r\nF5 BigIP ASM\r\nForcepoint NGFW\r\nFortinet AV, IPS, WAF, WEB\r\nMcAfee NSP\r\nPalo Alto Networks NGFW\r\nSnort IPS\r\nIndicators of Compromise\r\nTargeted File Paths\r\nDuring authentication bypass, the threat actors send HTTP POST requests to image (.gif), JavaScript (.js),\r\ncascading style sheet (.css), and font (ttf, eot) files used by Outlook Web Access (OWA). The following table\r\nshows the list of known file paths targeted by the POST requests:\r\nFolder Files\r\n/owa/auth/Current/themes/resources/\r\nlgnbotl.gif, lgnbotl.gif, logon.css, owafont_ja.css, owafont_ko.css,\r\nSegoeUI-SemiBold.eot, SegoeUI-SemiLight.ttf\r\n/ecp/ Default.flt, main.css, \u003csingle char\u003e.js\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 11 of 17\n\nUser-agents\r\nAdversaries used the following “non-standard” user-agents in POST requests:\r\nUser-Agent\r\nantSword/v2.1\r\nDuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)\r\nExchangeServicesClient/0.0.0.0\r\nfacebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)\r\nGooglebot/2.1+(+http://www.googlebot.com/bot.html)\r\nMozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)\r\nMozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)\r\nMozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html\r\nMozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)\r\nMozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)\r\nMozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)\r\nMozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+\r\n(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 12 of 17\n\npython-requests/2.19.1\r\npython-requests/2.25.1\r\nWeb Shells\r\nAdversaries upload web shells to the following paths. Bear in mind that there may be other web shells with\r\ndifferent file names in these folders. So, search for any new or modified ASPX files in these folders and their\r\nsubfolders.\r\nFolder Web Shell Files\r\n\\\u003cexchange_install_path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\\r\n8Lw7tAhF9i1pJnRo.aspx, a.aspx,\r\nauthhead.aspx, bob.aspx, default.aspx,\r\nerrorPage.aspx, errorPages.aspx, fatal-erro.aspx, log.aspx, logg.aspx,\r\nlogout.aspx, one.aspx, one1.aspx,\r\nOutlookZH.aspx, shel.aspx, shel2.aspx,\r\nshel90.aspx.\r\n\\\r\n\u003cexchange_install_path\u003e\\FrontEnd\\HttpProxy\\owa\\auth\\current\\\r\none1.aspx\r\n\\\u003cexchange_install_path\u003e\\FrontEnd\\HttpProxy\\OAB log.aspx\r\n\\inetpub\\wwwroot\\aspnet_client\\\r\naspnet_client.aspx, aspnet_iisstart.aspx,\r\naspnet_pages.aspx, aspnet_www.aspx,\r\ndefault1.aspx, discover.aspx,\r\nerrorcheck.aspx, HttpProxy.aspx,\r\niispage.aspx, OutlookEN.aspx, s.aspx,\r\nServer.aspx, session.aspx, shell.aspx,\r\nsupp0rt.aspx,\r\nxclkmcfldfi948398430fdjkfdkj.aspx,\r\nxx.aspx\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 13 of 17\n\n\\inetpub\\wwwroot\\aspnet_client\\system_web\\ log.aspx\r\n\\\u003cexchange_install_path\u003e\\FrontEnd\\HttpProxy\\ecp\\auth\\ log.aspx\r\nCommand and Control IP Addresses\r\nConnected IP Addresses\r\n103.77.192.219\r\n104.140.114.110\r\n104.250.191.110\r\n108.61.246.56\r\n149.28.14.163\r\n157.230.221.198\r\n167.99.168.251\r\n185.250.151.72\r\n192.81.208.169\r\n203.160.69.66\r\n211.56.98.146\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 14 of 17\n\n5.254.43.18\r\n80.92.205.81\r\nSHA256 Hashes of Web Shells\r\nSHA256 Hashes\r\n511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\r\nb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\r\n4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\r\n811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\r\n65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\r\nb75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0\r\n097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e\r\n2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1\r\n65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5\r\n511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1\r\n4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 15 of 17\n\n811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d\r\n1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944\r\nReferences:\r\n[1] MSRC Team, “Multiple Security Updates Released for Exchange Server – updated March 8, 2021.”\r\nhttps://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/.\r\n[2] Microsoft Threat Intelligence Center (MSTIC), Microsoft 365 Defender Threat Intelligence Team, and\r\nMicrosoft 365 Security, “HAFNIUM targeting Exchange Servers with 0-day exploits,” 02-Mar-2021.\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/.\r\n[3] “Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange\r\nVulnerabilities.” https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/.\r\n[4] “Cyber-attack on the European Banking Authority - European Banking Authority,” 07-Mar-2021.\r\nhttps://www.eba.europa.eu/cyber-attack-european-banking-authority.\r\n[5] “Please leave an exploit after the beep.” https://www.dubex.dk/aktuelt/nyheder/please-leave-an-exploit-after-the-beep.\r\n[6] MSRC Team, “Microsoft Exchange Server Vulnerabilities Mitigations – updated March 6, 2021.” https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/.\r\n[7] “Security Update Guide - Microsoft Security Response Center.” https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26855.\r\n[8] “Security Update Guide - Microsoft Security Response Center.” https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26857.\r\n[9] “Security Update Guide - Microsoft Security Response Center.” https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26858.\r\n[10] “Security Update Guide - Microsoft Security Response Center.” https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065.\r\n[11] “Reconnaissance.” https://attack.mitre.org/tactics/TA0043/.\r\n[12] “Gather Victim Host Information: Software.” https://attack.mitre.org/techniques/T1592/002/.\r\n[13] “Resource Development.” https://attack.mitre.org/tactics/TA0042/.\r\n[14] “Acquire Infrastructure: Virtual Private Server.” https://attack.mitre.org/techniques/T1583/003/.\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 16 of 17\n\n[15] “Obtain Capabilities: Tool.” https://attack.mitre.org/techniques/T1588/002/.\r\n[16] S. Özarslan, “MITRE ATT\u0026CK T1003 Credential Dumping.”\r\nhttps://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1003-credential-dumping.\r\n[17] S. Özarslan, “MITRE ATT\u0026CK T1086 PowerShell.” https://www.picussecurity.com/resource/blog/picus-10-\r\ncritical-mitre-attck-techniques-t1086-powershell.\r\n[18] besimorhino, “besimorhino/powercat.” https://github.com/besimorhino/powercat.\r\n[19] markruss, “PsExec - Windows Sysinternals.” https://docs.microsoft.com/en-us/sysinternals/downloads/psexec.\r\n[20] S. Özarslan, “How to Beat Nefilim Ransomware Attacks.” https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks.\r\n[21] S. Özarslan, “The Ransomware Resurgence Led By LockerGoga.”\r\nhttps://www.picussecurity.com/resource/blog/locker-goga.\r\n[22] cobbr, “cobbr/Covenant.” https://github.com/cobbr/Covenant.\r\n[23] “China Chopper.” https://attack.mitre.org/software/S0020/.\r\n[24] SecureWorks Counter Threat Unit Threat Intelligence, “Threat Group-3390 Targets Organizations for\r\nCyberespionage.” https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage.\r\n[25] “Initial Access.” https://attack.mitre.org/tactics/TA0001/.\r\n[26] “Exploit Public-Facing Application.” https://attack.mitre.org/techniques/T1190/.\r\n[27] “China Chopper.” https://attack.mitre.org/software/S0020/.\r\n[28] “Persistence.” https://attack.mitre.org/tactics/TA0003/.\r\n[29] “Server Software Component: Web Shell.” https://attack.mitre.org/techniques/T1505/003/.\r\n[32] “Remote Services: SMB/Windows Admin Shares.” https://attack.mitre.org/techniques/T1021/002/.\r\n[33] “Archive Collected Data: Archive via Utility.” https://attack.mitre.org/techniques/T1560/001/.\r\n[34] “Email Collection: Remote Email Collection.” https://attack.mitre.org/techniques/T1114/002/.\r\n[35] “Command and Control.” https://attack.mitre.org/tactics/TA0011/.\r\n[36] “Application Layer Protocol: Web Protocols.” https://attack.mitre.org/techniques/T1071/001/.\r\nSource: https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nhttps://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers" ], "report_names": [ "ttps-hafnium-microsoft-exchange-servers" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-10T02:00:05.354598Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434608, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/5c13a3c9d8dbd3c81723343c6c214a811f5ee27e.pdf", "text": "https://archive.orkl.eu/5c13a3c9d8dbd3c81723343c6c214a811f5ee27e.txt", "img": "https://archive.orkl.eu/5c13a3c9d8dbd3c81723343c6c214a811f5ee27e.jpg" } }