{ "id": "88973f83-2bec-4417-97c3-d31a6e108857", "created_at": "2026-04-06T00:08:37.261448Z", "updated_at": "2026-04-10T03:35:48.384125Z", "deleted_at": null, "sha1_hash": "d6ed5d75675089c87bd2378f765fd2fec9ac8cda", "title": "Hafnium Exchange Vuln Detection - KQL - Pastebin.com", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 31330, "plain_text": "Hafnium Exchange Vuln Detection - KQL - Pastebin.com\r\nArchived: 2026-04-05 14:09:35 UTC\r\n1. let networkEvent = DeviceNetworkEvents\r\n2. | where ActionType == \"InboundConnectionAccepted\" and InitiatingProcessFileName =~ \"System\"\r\n3. | extend netTimestamp = Timestamp\r\n4. | project DeviceId, DeviceName, netTimestamp, RemoteIP, RemotePort; //Grab a table of all accepted\r\ninbound connections, projecting the Timestamp for further manipulation\r\n5. let shellWrite = DeviceFileEvents\r\n6. | where ActionType == \"FileCreated\" and FolderPath has \"inetpub\" and FileName has_any (\".php\", \".jsp\",\r\n\".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\")\r\n7. | project DeviceName, DeviceId, Timestamp, FileName, FolderPath; //Grab a table of all created files in\r\ninetpub, with a file extension ending in \".php\", \".jsp\", \".js\", \".aspx\", \".asmx\", \".asax\", \".cfm\", \".shtml\".\r\nProjecting timestamp for further manipulation\r\n8. DeviceFileEvents\r\n9. | where (FileName =~ \"applicationHost.config\" or FileName =~ \"administration.config\") and FolderPath\r\ncontains \"inetpub\" //Grab all instances of updates to the IIS applicationHost.config or administration.config\r\n10. | join shellWrite on DeviceName, DeviceId\r\n11. | join networkEvent on DeviceId, DeviceName\r\n12. | extend time_diff = datetime_diff('second',Timestamp,Timestamp1) //create a time differential column for\r\nshellWrite and config update\r\n13. | extend netTimeDiff = datetime_diff('second',Timestamp1,netTimestamp) //create a time differential\r\ncolumn for networkEvent and the shellWrite\r\n14. | where (time_diff \u003c= 60 and time_diff \u003e= 0) and (netTimeDiff \u003c= 10 and netTimeDiff \u003e= 0) //differential\r\nfiltering for networkEvent and shellWrite\r\nSource: https://pastebin.com/J4L3r2RS\r\nhttps://pastebin.com/J4L3r2RS\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://pastebin.com/J4L3r2RS" ], "report_names": [ "J4L3r2RS" ], "threat_actors": [ { "id": "7c969685-459b-4c93-a788-74108eab6f47", "created_at": "2023-01-06T13:46:39.189751Z", "updated_at": "2026-04-10T02:00:03.241102Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "Red Dev 13", "Silk Typhoon", "MURKY PANDA", "ATK233", "G0125", "Operation Exchange Marauder" ], "source_name": "MISPGALAXY:HAFNIUM", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2704d770-43b4-4bc4-8a5a-05df87416848", "created_at": "2022-10-25T15:50:23.306305Z", "updated_at": "2026-04-10T02:00:05.296581Z", "deleted_at": null, "main_name": "HAFNIUM", "aliases": [ "HAFNIUM", "Operation Exchange Marauder", "Silk Typhoon" ], "source_name": "MITRE:HAFNIUM", "tools": [ "Tarrask", "ASPXSpy", "Impacket", "PsExec", "China Chopper" ], "source_id": "MITRE", "reports": null }, { "id": "529c1ae9-4579-4245-86a6-20f4563a695d", "created_at": "2022-10-25T16:07:23.702006Z", "updated_at": "2026-04-10T02:00:04.71708Z", "deleted_at": null, "main_name": "Hafnium", "aliases": [ "G0125", "Murky Panda", "Red Dev 13", "Silk Typhoon" ], "source_name": "ETDA:Hafnium", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434117, "ts_updated_at": 1775792148, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d6ed5d75675089c87bd2378f765fd2fec9ac8cda.pdf", "text": "https://archive.orkl.eu/d6ed5d75675089c87bd2378f765fd2fec9ac8cda.txt", "img": "https://archive.orkl.eu/d6ed5d75675089c87bd2378f765fd2fec9ac8cda.jpg" } }