# Microsoft Exchange Zero Day’s – Mitigations and Detections.

**blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections**

By [Auth 0r / March 6, 2021 /](https://blueteamblog.com/author/auth0r) [Uncategorized](https://blueteamblog.com/category/uncategorized)
[No Comments](https://blueteamblog.com/microsoft-exchange-zero-days-mitigations-and-detections#respond)


March 6, 2021


This post will aim to explain what the Microsoft Zero Day’s are, and then provide all mitigation and detection advice which I
am aware of so far. It will be updated every day, if and when new information is available.

[If you feel like I miss anything important here, or made any mistakes; please DM me at https://twitter.com/blueteamblog](https://twitter.com/blueteamblog)
and ill update the post.

**_All companies / researchers etc will be credited throughout the post._**

### Post Updated 12th March –

See further details on each point throughout the post.

**It has been discovered on the 12th of March, that since the 9th of March; ransomware named DoejoCrypt**
**aka DearCry has been targeting vulnerable Exchange Servers. A separate section has been created within**
**the blog post for that, with the following details so far.**

Bleeping Computer and TheRecord articles.
3 Yara rules.
MalwareBazaar Link.
James Quinn Analysis and AppAnyRun Run.
DearCry hashes from MSTIC.

Other Updates

Further IOCs from BadPackets and THEDFIRReport
Added updated Splunk Blog Post

### Post Updated 11th March –


-----

See further details on each point throughout the post.

Microsoft had changed the links for their NMAP and IOC check script. Have added the new link.
Added updated Elastic blog post which contains new TTPs.
Added new IOC’s from DFIRReport and KyleHanslovan from Huntress Labs.

### Post Updated 10th March –

See further details on each point throughout the post.

Added ESET post “Exchange servers under siege from at least 10 APT groups”. Added IOCs from this post to the IOC
section.
Added available samples of the ESET analysis about Exchange vulnerabilities used by Chinese APT.
Added DomainTools post “Examining Exchange Exploitation and its Lessons for Defenders”
Added GreyNoise GNQL query for devices crawling the Internet for Microsoft OWA instances, minus known-benign
hosts.
Added detection advice that scheduled tasks similar to the “Sapphire Pigeon” tasks on non-Exchange hosts are being
seen on the same network as a compromised Exchange server.
Added detection advice that looks for hard coded elements from Exchange POC exploit code.
Added Azure Sentinel detection that looks for Exchange Auditing being disabled.

### Post Updated 9th March –

See further details on each point throughout the post.

Added further IP’s which are known to be targeting the vulnerabilities.
Added link to video of technical showcase of some post exploitation techniques.
Added link to Victim Notification Website. Businesses can check via email or IP, but only discloses to people with a
provable association with the victim.
Added link to TrueSec blog post, in particular in relation to the Post Explotation section.
Added Sigma rule based on TrueSec’s findings.
Added another query for Azure Sentinel / Defender for detecting exchange exploitation.
Added VirusTotal search for HAFNIUM webshell uploads.
Added detection advice to use externaldata operator in Azure Sentinel.
Added Microsoft Safety Scanner link.
Added SIGMA rules to detect HAFNIUM Exchange Exploitation Activity and Suspicious Service Binary Directory.
Added link to RedCanary blog.

### Post Updated 8th March –

See further details on each point throughout the post.

Added KrebsOnSecurity timeline of the Exchange hacks, and when companies reported the issues to Microsoft.
Added hashes of known good exchange files.
Added 2 webshell samples which match hashes mentioned in Microsoft’s HAFNIUM report.
Added List of known suspect / bad IPs targeting Exchange vulnerabilities.
Added detection advice for when you are checking POST requests.
Fixed missing Elastic detection’s link.
Added sysmon config for Exchange Servers.

### Post Updated 7th March –

See further details on each point throughout the post.

Added queries for Azure Sentinel (Sysmon) and M365D to detect anomalous network connections made by the servers.
Added Elastic detection’s.
Added update that you need to re-scan any Exchange systems you previously scanned with Microsoft’s nmap NSE
script (http-vuln-cve2021-26855.nse)


-----

## What are the Exchange Zero Days?

In case you have been hiding under a rock this past week (I wouldn’t blame you), here is a breakdown of what they are. You
may also hear people referring to the Exchange Zero Days as:

HAFNIUM (Original threat group who exploited the zero days, named by Microsoft)
Operation Exchange Marauder (Name given to the initial attack by Volexity, the company who first identified the zero
days)

**_From_** **_[the original Microsoft post (I highly recommend reading this whole article) –](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/)_**

[CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange which allowed the attacker to send](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855)
arbitrary HTTP requests and authenticate as the Exchange server.

[CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857)
where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave HAFNIUM the ability
to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.

[CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858)
with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could
authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

[CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If HAFNIUM could authenticate](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065)
with the Exchange server then they could use this vulnerability to write a file to any path on the server. They could
authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.

**It is important to note that these vulnerabilities exist on Microsoft Exchange Server, and does not affect**
**Microsoft Exchange Online users.**

### Further reading

[There is further information about the zero days at Volexity’s original post and also at the Mandiant Managed Defence post.](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/)

[A site named proxylogon.com has also been created. This is for CVE-2021-26855 and is then chained with CVE-2021-27065](https://proxylogon.com/)
which allows unauthenticated attackers to execute code on remote systems. The site shows an example of the exploit in
action.

[Brian Krebs (KrebsOnSecurity) has released a basic timeline of the Exchange mass hack. This includes a timeline of when](https://krebsonsecurity.com/2021/03/a-basic-timeline-of-the-exchange-mass-hack/)
companies first noted the issues to Microsoft, until the present date.

## Post Exploitation Activities

After exploiting the above vulnerabilities, there have been a number of post exploitation actions seen.

**As per the** **[Microsoft post, the following post exploitation activities were seen from the HAFNIUM](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/)**
**group, after they dropped a webshell using the above vulnerabilities.**

Using Procdump to dump the LSASS process memory

Using 7-Zip to compress stolen data into ZIP files for exfiltration

Adding and using Exchange PowerShell snap-ins to export mailbox data

[Using the Nishang Invoke-PowerShellTcpOneLine reverse shell](https://github.com/samratashok/nishang)

[Downloading PowerCat from GitHub, then using it to open a connection to a remote server](https://github.com/besimorhino/powercat)

Downloaded the Exchange offline address book from compromised systems.

**As per the** **[Volexity post, the following post exploitation activities have been seen.](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/)**


-----

rundll32 C:\windows\system32\comsvcs.dll / MiniDump lsass.dmp Dump process memory of lsass.exe to obtain
credentials

PsExec – Windows Sysinternals tool used to execute commands on remote systems

ProcDump – Windows Sysinternals tool to dump process memory

WinRar – Command Line Utility Used archive data exfiltration

Webshells (ASPX and PHP) – Used to allow command execution or network proxying via external websites

Domain Account User Addition – Leveraged by attackers to add their own user account and grant it privileges to provide
access in the future

**As per the** **[Mandiant post, the following additional activity was seen.](https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html?1)**

net group “Exchange Organization administrators” administrator /del /domain.

This command attempts to delete the administrator user from the Exchange Organizations administrators group, beginning
with the Domain Controller in the current domain. If the system is in a single-system domain, it will execute on the local
computer.

**Please take your time to read the Post-Exploitation Analysis section of** **[this report from Huntress Labs.](https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers?)**
There is an in depth write-up originating from the execution of a command that was detected and stopped by Windows
Defender. The thread then goes on until the attacker drops Mimikatz.

**Please take your time to read the Post Exploitation section of** **[this report from TrueSec. It has a number](https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/)**
of new post exploitation activities which have not been noted in other posts as of yet.

**Please take your time to read this post from ESET – “Exchange servers under siege from at least 10 APT**
groups” . It contains details of 10 threat groups using the exploits and behaviors they are known to exhibit.

**Please take your time to read this post from DomainTools – “Examining Exchange Exploitation and its**
Lessons for Defenders“. It contains a good write up especially in relation to attribution and detection.

## DoejoCrypt aka DearCry Ransomware

Please continue to read information below before reading this section, if you have not done so already. On the 9th of March,
Ransomware named #DoejoCrypt aka #DearCry has started to target Exchange Servers via the exploits mentioned in this
blog.

There are number of well written, informative articles on the ransomware targeting Exchange Servers so far –

[BleepingComputer article](https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/)
[TheRecord article](https://therecord.media/microsoft-exchange-servers-targeted-by-dearcry-ransomware-abusing-proxylogon-bugs/)
[Twitter thread from Sophos explaining DearCry](https://twitter.com/SophosLabs/status/1370477406696271875)

[DoejoCrypt / Dearcry samples are available at Malware Bazaar.](https://bazaar.abuse.ch/browse/tag/DoejoCrypt/)

[Thanks to James Quinn (who added some of the above samples to Malware Bazaar) for sharing the following :](https://twitter.com/lazyactivist192/status/1370289268158005248)

[Notes on the samples he found](https://pastebin.com/ZNuZvqZy)
[AppAnyRun Run](https://app.any.run/tasks/813bfec6-72f6-4ea0-9f5d-b9536cdd82eb/)

[As shared by Pete Bryan, the MSTIC feed has been updated. It includes some hashes related to DearCry ransomware seen](https://twitter.com/MSSPete/status/1370209021429354499)
exploiting the Exchange vulnerabilities.

A number of Yara rules are available to detect DearCry / DoejoCrypt.

[Sebdraven – Yara rule link.](https://twitter.com/Sebdraven/status/1370326226485805056)

[Florian Roth / Nils Kuhnert – Yara rule link.](https://twitter.com/cyb3rops/status/1370407825327984641)


-----

[Reversing Labs Yara rule link.](https://twitter.com/ReversingLabs/status/1370411258428723202)

## Mitigations and Detections

The below list is all the knowledge I have so far gathered for Mitigations and Detections against / for CVE-2021-26855, CVE2021-26857, CVE-2021-26858 and CVE-2021-27065. This also includes some detections for known post exploitation tactics.

### Microsoft

[Microsoft Vulnerability Mitigation’s](https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/)

Importantly, this tells you –

[How to install the security update (This does not evict an attacker if they have already compromised the](https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901)
**system). It is also worth noting that if you are installing the upgrades manually, you must run the update from the**
elevated command prompt. If you are running an older CU then what the patch will accept, you must upgrade to at
least the required CU as stated above then apply the patch.
[If you see unexpected behaviors or your upgrade fails, please go to this link which advises how to troubleshoot.](https://docs.microsoft.com/en-us/exchange/troubleshoot/client-connectivity/exchange-security-update-issues)
[If you are unsure of the patch levels of your Exchange Servers, use this script from Microsoft.](https://github.com/dpaulson45/HealthChecker#download)
Interim mitigation’s if you are unable to patch Exchange Server 2013/16/19. This includes what they mitigate and
potential impact. (These do not fully protect against the attacks. As above, does not evict an attacker if
**they have already compromised the system)**

Microsoft have also provided the following –

All Microsoft scripts (NMAP script to identify if your systems are vulnerable to Exchange zero days and Powershell
[script to check Windows event logs and Exchange logs for IOCs.) can now be found at this link.](https://github.com/microsoft/CSS-Exchange/tree/main/Security)
[Microsoft Safety Scanner designed to find and remove malware from Windows computers. Simply download it and run](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download)
a scan on Exchange Servers to find malware and try to reverse changes made by identified threats.

### CheckMyOWA – Victim Notification Site

Thanks to Allison Nixon for [sharing this](https://twitter.com/nixonnixoff/status/1369359361877934093)

CheckMyOWA is a site from Unit221b. In the words of Allison “Re: The recent mass Exchange hacks, we’re
**_releasing a victim notification website. Can check via email or IP, but only discloses to people with a_**
**_provable association with the victim. Target audience is small businesses who haven’t already been made_**
**_aware.”_**

[Check out the site here.](https://checkmyowa.unit221b.com/)

### Volexity

[Within the Volexity post they have a large list of indicators that it is recommended you search for. I am not going to include](https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/)
them all here, as the list is too long. Please go to the post and review the Indicators of Compromise section and ensure
you check for them all.

### Mandiant Managed Defense

[Mandiant Advisory](https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html?1)

Mandiant advise checking the following –

Child processes of C:\Windows\System32\inetsrv\w3wp.exe on Exchange Servers, particularly cmd.exe.
Files written to the system by w3wp.exe or UMWorkerProcess.exe.
ASPX files owned by the SYSTEM user
New, unexpected compiled ASPX files in the Temporary ASP.NET Files directory


-----

Reconnaissance, vulnerability testing requests to the following resources from an external IP address:

/rpc/ directory
/ecp/DDI/DDIService.svc/SetObject
Non-existent resources
With suspicious or spoofed HTTP User-Agents
Unexpected or suspicious Exchange PowerShell SnapIn requests to export mailboxes

They also advise preserving the following artifacts for forensic analysis:

At least 14 days of HTTP web logs from the inetpub\Logs\LogFiles directories (include logs from all subdirectories)
The contents of the Exchange Web Server (also found within the inetpub folder)
At least 14 days of Exchange Control Panel (ECP) logs, located in Program Files\Microsoft\Exchange
Server\v15\Logging\ECP\Server
Microsoft Windows event logs

### Red Canary

[Red Canary Intel have released a fantastic post which contains.](https://redcanary.com/blog/microsoft-exchange-attacks/)

[The different clusters of threat activity they are seeing](https://redcanary.com/blog/microsoft-exchange-attacks/#clusters)
The [detection analytics they used to detect them](https://redcanary.com/blog/microsoft-exchange-attacks/#detection)
[The simple remediation steps you can take to start to remove this activity from your environment if you find it, whether](https://redcanary.com/blog/microsoft-exchange-attacks/#remediation)
you’re a single administrator or a mature security team.

### Cisco Talos

[Cisco Talos Advisory](https://blog.talosintelligence.com/2021/03/threat-advisory-hafnium-and-microsoft.html)

Cisco Talos have released a number of Snort rules which can detect / block the behavior as follows –

CVE-2021-26857 — 57233-57234
CVE-2021-26855 — 57241-57244
CVE-2021-26858 & CVE-2021-27065 — 57245-57246
CVE-2021-24085 — 57251
CVE-2021-27065 — 57252-57253
Html.Webshell.Hafnium — 57235-57240

There is also a ClamAV signature – Win.ASP.MSExchangeExploit

They importantly point out “All organisations using the affected software should prevent external access to port 443 on
_Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and_
_authorized users can connect to this service. However, this action will only protect against the initial step of the attack.“_

### CISA

[CISA Advisory](https://us-cert.cisa.gov/ncas/alerts/aa21-062a)

On top of the above recommendations from Cisco, the following advice from CISA is also important –

Block external access to on-premise Exchange:

Restrict external access to OWA URL: `/owa/ .`
Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/ .
Disconnect vulnerable Exchange servers from the internet until a patch can be applied.

Other international agencies have been releasing advice regarding the zero days.

[Catalin Cimpanu shared on Twitter this list of International advisories regarding the Exchange Zero days.](https://twitter.com/campuscodi)

### CERT Latvia

[The Latvian CERT have released a powershell script to detect webshells dropped by the recent zero days onto exchange](https://github.com/cert-lv/exchange_webshell_detection)
servers


-----

### Nextron Systems

Nextron Systems have setup THOR Lite (a free forensics scanner) to scan for HAFNIUM indicators. See the blog post and
usage instructions here.

[This includes this YARA rule written by Joe Hannon from Microsoft that looks for HAFNIUM indicators.](https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium.yar#L172)

### Recon Infosec

[OSQuery hunt to look for systems where the ProcDump EULA has been accepted. This is important as attackers are using](https://rhq.reconinfosec.com/tactics/credential_access/#procdump)
Procdump to dump the LSASS process memory

### Microsoft 365 Defender Hunting Queries

[Microsoft have published a number of hunting queries, as follows.](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md)

[Reverse shell loaded using Nishang Invoke-PowerShellTcpOneLine technique](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/reverse-shell-nishang.md)
[Exchange Server IIS dropping web shells](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md)
[Procdump dumping LSASS credentials](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Credential%20Access/procdump-lsass-credentials.md)
[7-ZIP used by attackers to prepare data for exfiltration](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/7-zip-prep-for-exfiltration.md)
[Exchange PowerShell snap-in being loaded](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Exfiltration/exchange-powershell-snapin-loaded.md)
[Powercat exploitation tool downloaded](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/powercat-download.md)
[Exchange vulnerability creating web shells via UMWorkerProcess](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/umworkerprocess-creating-webshell.md)
[Exchange vulnerability launching subprocesses through UMWorkerProcess](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/umworkerprocess-unusual-subprocess-activity.md)
[Base64-encoded Nishang commands for loading reverse shell](https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/reverse-shell-nishang-base64.md)

### SIGMA Queries

Thanks to Florian Roth for [sharing and creating these.](https://twitter.com/cyb3rops/status/1369201843658760195)

[This includes two rules.](https://github.com/SigmaHQ/sigma/pull/1378/files)

HAFNIUM Exchange Exploitation Activity – Detects activity observed by different researchers to be HAFNIUM group
acitivity (or related) on Exchange servers.
Suspicious Service Binary Directory – Detects a service binary running in a suspicious directory.

### Splunk Queries

[Thanks to Jose Enrique Hernandez for sharing these on Twitter.](https://twitter.com/d1vious/status/1366937178379542528?s=20)

[On the 12th of March, Splunk have released an updated blog post including further detection advice. Thanks to John Stoner](https://www.splunk.com/en_us/blog/security/detecting-microsoft-exchange-vulnerabilities-0-8-days-later.html)
for sharing this.

### SOC Prime (SIEM detection’s to translate to various languages)

Thanks to Ring3API for [sharing these on Twitter. Free rules which can be converted to various SIEM languages.](https://twitter.com/rimpq/status/1367034168283136000?s=20)

### Azure Sentinel (Sysmon) and M365D queries to detect anomalous network connections made by the servers.

Thanks to [Mehmet Ergene for creating and sharing these.](https://twitter.com/Cyb3rMonk)

[Link to the query logic here.](https://github.com/Cyb3r-Monk/Threat-Hunting-and-Detection/blob/main/Uncategorized/Server%20Network%20Connection%20Anomaly.md)

### Further Azure / Defender query to detect exploitation of Exchange vulnerabilities.

[Thanks to James Quinn for creating and sharing these.](https://twitter.com/lazyactivist192/status/1367882466506211328)

[Link to the query logic here.](https://pastebin.com/J4L3r2RS)

### Elastic Queries / Write-Up


-----

Thanks to [Austin for sharing this.](https://twitter.com/TheAustinSonger)

This is the full write-up from elastic which I missed in my original blog post. It contains a number of detection logic’s, see the
**[detection section of the article.](https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289)**

[On the 11th of March, Elastic have updated their post with the following –](https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3?u=dstepanic)

Some TTP’s include:

Network enumeration/discovery
Credential dumping of Windows Registry
Leveraging makecab utility to compress files

### Known Good Exchange Hashes

Thanks to [John Lambert for sharing this.](https://twitter.com/JohnLaTwC)

[Hashes provided by Microsoft Exchange team.](https://github.com/microsoft/CSS-Exchange/tree/main/Security/Baselines)
[Hashes provided by NCCGroup](https://github.com/nccgroup/Cyber-Defence/tree/master/Intelligence/Exchange)

### Sysmon Config

[As shared by Emir Erdogan there is a Sysmon config file that can be used for your Exchange servers, to aid in detections.](https://twitter.com/em1rerdogan)

### Further Detection Ideas

These are detection ideas which I am gathering over time from twitter.

[As shared by Samir – “Multiple instances of w3wp.exe with cmdline containing “MSExchange*AppPool” spawning](https://twitter.com/SBousseaden/status/1368241345454870528)
WerFault.exe could be also an indicator of failed exploitation attempts.”
[As shared by Joseph – “If you find you are compromised with the latest Exchange exploit, take moment and check for](https://twitter.com/JRoosen/status/1367000894349410305)
any new users is your domain that “appeared” after compromise. Try running this script to see[https://pastebin.com/raw/cr01VuCa“](https://t.co/Px9lq76xdV?amp=1)
[As shared by Kevin look for the following – “Large amounts of internal SMB traffic from Exchange Server. Also look for](https://twitter.com/GossiTheDog/status/1368139219948945410?s=20)
Scheduled task called Winnet on Exchange Server”
[As shared by Tyler be careful when checking your POST requests – “Anyone searching for/responding to Exchange](https://twitter.com/SecShoggoth/status/1368699174066266115)
attacks, one of the key indicators is POST to /ecp/<singleletter>.js. DO NOT JUST LOOK FOR singleletter!!!! Seeing a
bunch going to /ecp/program.js!”
[As shared by Randy – “AzureSentinel pro tip: use the externaldata operator to grab IOC lists such as the one that](https://twitter.com/rpargman/status/1369327070526935040)
Microsoft is maintaining for HAFNIUM indicators (https://raw.githubusercontent.com/Azure/AzureSentinel/master/Sample%20Data/Feeds/MSTICIoCs-ExchangeServerVulnerabilitiesDisclosedMarch2021.csv…) and
use those values in your KQL queries”
[As shared by John – “We haven’t confirmed lateral movement, but interesting to see scheduled tasks similar to the](https://twitter.com/jdferrell3/status/1369484606320349186)
“Sapphire Pigeon” tasks on non-Exchange hosts on the same network as a compromised Exchange server.”
[As shared by Pete – “There are a few PoC scripts for Exchange exploits floating around (with varying validity) that](https://twitter.com/MSSPete)
people may be trying to use for opportunistic exploits. One of the PoCs has hard coded elements you can hunt for in
[logs” See further details in the twitter thread here.](https://twitter.com/MSSPete/status/1369749165438160897)
[As shared by Huy – “A good use-case to alert on is, when someone is turning off Exchange auditing.” There is a](https://twitter.com/DebugPrivilege/status/1369724976237064194)
[Sentinel detection for this here.](https://github.com/Azure/Azure-Sentinel/blob/master/Detections/OfficeActivity/exchange_auditlogdisabled.yaml)

## IOC List

[There are numerous IOC’s contained within the Microsoft and Volexity reports. Here are some extra’s that I have came](https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/)
across. These are either hosting badness or attempting the exploits.

[Bad Packets have shared the following:](https://twitter.com/bad_packets/status/1370259728840884228)

Active CVE-2021-21972 payload: http://www.lingx[.]club/javac
[Virus Total Link](https://www.virustotal.com/gui/url/7b42836077818f5f8582eca8cfa16f2ab4d3fa4f7eb2d51d62956452d147fef8/details)
Exploit attempt source IP: 104 197 133( )59


-----

[DFIR Report have shared the following:](https://twitter.com/TheDFIRReport/status/1370418458178039808)

Exchange proxylogon and file write exploit attempt coming from: 45.114.130[.]89 – EHOSTIDC (Japan)

[Kyle Hanslovan has shared the following China Mobile IP addresses were used for exploitation and interacting with](https://twitter.com/KyleHanslovan/status/1370077442984001537)
webshells as early as Feb 28.

182.239.124(.)180
182.239.123(.)241

[TheDFIRReport has shared the following](https://twitter.com/TheDFIRReport/status/1370079472033136640)

172.105.174[.]117 scanning for the following Exchange webshells –

0QWYSEXe.aspx
aspnet_client.aspx
aspnettest.aspx
discover.aspx
error.aspx
help.aspx
HttpProxy.aspx
iispage.aspx
load.aspx
log.aspx
OutlookEN.aspx
shell.aspx
shellex.aspx
sol.aspx
supp0rt.aspx

[From the ESET post above –](https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/)


-----

**IP address / domain** **Details**

34.90.207[.]23 LuckyMouse SysUpdate C&C server

yolkish[.]com Calypso C&C server

rawfuns[.]com Calypso C&C server

86.105.18[.]116 “Opera Cobalt Strike” C&C & distribution server

89.34.111[.]11 “Opera Cobalt Strike” distribution server

172.105.18[.]72 Mikroceen RAT C&C server

194.68.44[.]19 Mikroceen proxy C&C server

www.averyspace[.]net Tick Delphi backdoor C&C server

www.komdsecko[.]net Tick Delphi backdoor C&C server

77.83.159[.]15 Tonto Team distribution server

lab.symantecsafe[.]org Tonto Team ShadowPad C&C server

mm.portomnail[.]com Winnti Group PlugX C&C server

back.rooter[.]tk Winnti Group PlugX C&C server

161.129.64[.]124 Winnti malware C&C server

ns.rtechs[.]org Unclassified ShadowPad C&C server

soft.mssysinfo[.]xyz Unclassified ShadowPad C&C server

p.estonine[.]com DLTMiner C&C server


-----

**SHA-1** **ESET detection name** **Details**

30DD3076EC9ABB13C15053234C436406B88FB2B9 Win32/Korplug.RT Calypso loader
for Win32/Korplug.ED

EB8D39CE08B32A07B7D847F6C29F4471CD8264F2 Win32/Korplug.RU Calypso loader
for Win32/Korplug.ED

4F0EA31A363CFE0D2BBB4A0B4C5D558A87D8683E Win32/Agent.ACUS Calypso loader
for Win32/Agent.UFX

2075D8E39B7D389F92FD97D97C41939F64822361 Win64/HackTool.Mimikat.A Mimikat_ssp used by
Calypso

02886F9DAA13F7D9855855048C54F1D6B1231B0A Win32/Agent.ACUQ Opera Cobalt Strike
loader

123CF9013FA73C4E1F8F68905630C8B5B481FCE7 Win64/Mikroceen.AN Mikroceen RAT

B873C80562A0D4C3D0F8507B7B8EC82C4DF9FB07 Win64/HackTool.Mimikat.A Mimikat_ssp used by
Mikroceen

59C507BCBEFCA2E894471EFBCD40B5AAD5BC4AC8 Win32/HackTool.Proxy.A Proxy used by
Mikroceen

3D5D32A62F770608B6567EC5D18424C24C3F5798 Win64/Kryptik.CHN ShadowPad
backdoor used by
Tonto Team

AF421B1F5A08499E130D24F448F6D79F7C76AF2B Win64/Riskware.LsassDumper.J LSASS dumper used
by Tonto Team

1DE8CBBF399CBC668B6DD6927CFEE06A7281CDA4 Win32/Agent.ACGZ PlugX injector used
by the Winnti Group

B8D7B850DC185160A24A3EE43606A9EF41D60E80 Win64/Winnti.DA Winnti loader

33C7C049967F21DA0F1431A2D134F4F1DE9EC27E Win64/HackTool.Mimikat.A Mimikatz used by the
Winnti Group

A0B86104E2D00B3E52BDA5808CCEED9842CE2CEA Win64/HackTool.Mimikat.A Mimikatz used by the
Winnti Group

281FA52B967B08DBC1B51BAFBFBF7A258FF12E54 Win32/PSWTool.QuarksPwDump.E Password dumper
used by the Winnti
Group

46F44B1760FF1DBAB6AAD44DEB1D68BEE0E714EA Win64/Shadowpad.E Unattributed
ShadowPad

195FC90AEE3917C94730888986E34A195C12EA78 Win64/Shadowpad.E Unattributed
ShadowPad

29D8DEDCF19A8691B4A3839B805730DDA9D0B87C PowerShell/TrojanDownloader.Agent.CEK DLTMiner

20546C5A38191D1080B4EE8ADF1E54876BEDFB9E PowerShell/TrojanDownloader.Agent.CEK DLTMiner

84F4AEAB426CE01334FD2DA3A11D981F6D9DCABB Win64/Agent.AKS Websiic

9AFA2AFB838CAF2748D09D013D8004809D48D3E4 Win64/Agent.AKS Websiic

3ED18FBE06D6EF2C8332DB70A3221A00F7251D55 Win64/Agent.AKT Websiic

AA9BA493CB9E9FA6F9599C513EDBCBEE84ECECD6 Win64/Agent.IG IIS Backoor

[Arkbird has shared the available samples of the ESET analysis about Exchange vulnerabilities used by Chinese #APT.](https://twitter.com/Arkbird_SOLG/status/1369658111926099969)


-----

[Andrew Morris has shared a GNQL (Greynoise) query to search for devices crawling the Internet for Microsoft OWA](https://twitter.com/Andrew___Morris/status/1369533718281531394)
instances, minus known-benign hosts.

[cyb3rops (Florian Roth) has shared that a new webshell sample with hash mentioned in Microsoft’s HAFNIUM report](https://twitter.com/cyb3rops/status/1368970499297079300)
surfaced on Virustotal (upload from Turkey).

[Huseyin Rencber has shared another webshell sample added to VirusTotal which matches another hash mentioned in](https://twitter.com/huseyinrencber_/status/1369004814554849281)
Microsoft’s HAFNIUM report.

[BushidoToken shared that all HAFNIUM related uploads to VirusTotal can be found with this search.](https://twitter.com/BushidoToken/status/1369253335061135362)

[MrR3b00t (Daniel Card) has created a community list of known suspect / bad IPs which are targeting the Exchange](https://twitter.com/UK_Daniel_Card)
vulnerabilities.

**Further IOC’s (May overlap with other links over time) –**

188.166.162[.]201
hxxp://p.estonine[.]com/p?e
hxxp://cdn.chatcdn[.]net/p?low
112.66.255[.]71
86.105.18[.]116
77.61.36[.]169
165.232.154[.]116
157.230.221[.]198
104.248.49[.]97
161.35.76[.]1
139.59.56[.]239
[List of known Microsoft Exchange Incident “China Chopper” ASPX Webshell filenames from Huntress Labs.](https://gist.github.com/JohnHammond/0b4a45cad4f4ed3324939d72dc599883)
183.136.225[.]46 – Checking for Exchange Servers vulnerable to CVE-2021-26855
104.225.219[.]16
159.89.95[.]163
198.50.168[.]176
45.154.2[.]94
34.87.113[.]30
185.173.235[.]172
185.173.235[.]54
185.65.134[.]165

If you find any broken links, think I am missing any important information or have made a mistake; DM me at
[https://twitter.com/blueteamblog. If I find more mitigations / detections, sections will be clearly updated; with timestamps.](https://twitter.com/blueteamblog)

### Leave a Reply

Your email address will not be published. Required fields are marked *


-----