Hafnium Exchange Vuln Detection - KQL - Pastebin.com
Archived: 2026-04-05 14:09:35 UTC
1. let networkEvent = DeviceNetworkEvents
2. | where ActionType == "InboundConnectionAccepted" and InitiatingProcessFileName =~ "System"
3. | extend netTimestamp = Timestamp
4. | project DeviceId, DeviceName, netTimestamp, RemoteIP, RemotePort; //Grab a table of all accepted
inbound connections, projecting the Timestamp for further manipulation
5. let shellWrite = DeviceFileEvents
6. | where ActionType == "FileCreated" and FolderPath has "inetpub" and FileName has_any (".php", ".jsp",
".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml")
7. | project DeviceName, DeviceId, Timestamp, FileName, FolderPath; //Grab a table of all created files in
inetpub, with a file extension ending in ".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml".
Projecting timestamp for further manipulation
8. DeviceFileEvents
9. | where (FileName =~ "applicationHost.config" or FileName =~ "administration.config") and FolderPath
contains "inetpub" //Grab all instances of updates to the IIS applicationHost.config or administration.config
10. | join shellWrite on DeviceName, DeviceId
11. | join networkEvent on DeviceId, DeviceName
12. | extend time_diff = datetime_diff('second',Timestamp,Timestamp1) //create a time differential column for
shellWrite and config update
13. | extend netTimeDiff = datetime_diff('second',Timestamp1,netTimestamp) //create a time differential
column for networkEvent and the shellWrite
14. | where (time_diff <= 60 and time_diff >= 0) and (netTimeDiff <= 10 and netTimeDiff >= 0) //differential
filtering for networkEvent and shellWrite
Source: https://pastebin.com/J4L3r2RS
https://pastebin.com/J4L3r2RS
Page 1 of 1