{
	"id": "d4b3afab-cc17-47bd-af10-302998066548",
	"created_at": "2026-04-06T00:17:57.873836Z",
	"updated_at": "2026-04-10T13:11:25.823925Z",
	"deleted_at": null,
	"sha1_hash": "db623a5ac56c35636f8e7e92a67e3aafa34a6f6d",
	"title": "Detection and Response for HAFNIUM Activity - Elastic Security - Discuss the Elastic Stack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 159649,
	"plain_text": "Detection and Response for HAFNIUM Activity - Elastic Security -\r\nDiscuss the Elastic Stack\r\nPublished: 2021-03-04 · Archived: 2026-04-05 13:51:48 UTC\r\nDetection and Response for HAFNIUM Activity\r\nExecutive summary\r\nOn March 2, 2021, Microsoft released a security update for on-premises Exchange servers to address vulnerabilities being\r\nexploited. Security vendors are seeing these vulnerabilities being actively exploited, confirming an imminent threat of\r\nleaving systems un-patched. Elastic Security Intelligence \u0026 Analytics shares information about detections for this activity,\r\nand observations about exploitation in the wild.\r\nDetails\r\nOn March 2, 2021, Microsoft released a security update describing several 0day exploits targeting on-premises Microsoft\r\nExchange servers. Four published vulnerabilities relate to this activity, for which Microsoft released a patch. The\r\nvulnerabilities include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.\r\nAs reported by Volexity and other security vendors, adversaries exploiting these vulnerabilities may install webshells that\r\nfunction as backdoors. With privileges of the IIS web server, adversaries harvested credentials, conducted reconnaissance,\r\nextracted and stole MailBox content and created new users. Elastic Security Intelligence \u0026 Analytics has summarized\r\ncapabilities related to these behaviors to address affected users.\r\nElastic has also observed evidence of this activity in our telemetry, and we’ve contacted affected customers. One behavior\r\nwe observed was the deletion of the administrator account from the “Exchange Organization administrators” group\r\n(Figure 1) .\r\nFigure 1 - Process ancestry of net group command removing administrator account\r\nThreat researchers observed unusual descendants (“cmd.exe”, “powershell.exe”) of the Exchange IIS webserver\r\n(“w3wp.exe”) that involved remote network connections (86.105.18[.]116). Our observations have been independently\r\ncorroborated by others in the community (Figure 2) as malicious. While this activity resembles the HAFNIUM activity\r\ngroup, these observations may represent opportunistic or other threats.\r\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nPage 1 of 5\n\nFigure 2 - Adversary download of malicious BATCH script, observed by Elastic\r\nElastic found that adversaries ran a malicious BATCH script (“1.bat”) which downloaded a legitimate version of the\r\nOpera browser (“opera_browser.exe”) and a malicious DLL (“opera_browser.dll”) before launching MSIExec\r\n(“msiexec.exe”). On execution, the Opera browser automatically loaded the malicious DLL due to a side-loading\r\nvulnerability, then injected shellcode into MSIExec.\r\nOverview\r\nNational Institute of Standards and Technology (NIST) assigned a critical CVSS score of 7.8 - 9.1 out of 10 based\r\non remote code execution without authentication\r\nThe vulnerability affects on-premises Exchange servers which are self-managed\r\nThe initial activity was reported by Microsoft and attributed to “HAFNIUM,” which Microsoft describes as a\r\nChina-based threat; note general adoption of this methodology by opportunistic threats is likely\r\nTimeline of events\r\nMarch 2, 2021 - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065 issued to\r\nvulnerability\r\nMarch 2, 2021 - Microsoft released patch\r\nMarch 3, 2021 - Elastic observes post-exploitation activity via telemetry\r\nMarch 4, 2021 - Elastic releases related public detection logic\r\nImpact\r\nMicrosoft asserts that these vulnerabilities affect all on-premises Exchange servers (Exchange Server 2013, Exchange\r\nServer 2016 and Exchange Server 2019) and issued an update for Microsoft Exchange Server 2010 for completeness.\r\nExchange Online is not affected.\r\nNotably, the initial attack requires on-premises Exchange servers to be accessible to the public Internet via port 443.\r\nAttackers with access to enterprises where Exchange servers are internally accessible may be able to exploit unpatched\r\nvulnerabilities related to this activity.\r\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nPage 2 of 5\n\nThe associated HAFNIUM exploit chain leverages multiple tactics and techniques categorized by the MITRE ATT\u0026CK®\r\nframework:\r\nTactics\r\nCredential Access\r\nCollection\r\nCommand and Control\r\nExecution\r\nLateral Movement\r\nPersistence\r\nTechniques/Subtechniques\r\nOS Credential Dumping\r\nEmail Collection\r\nArchive Collected Data\r\nWeb Service\r\nSystem Services/Service Execution\r\nRemote Services\r\nCreate Account\r\nDetection\r\nDetection logic\r\nOn March 4, 2021, Elastic released guidance describing Elastic Endpoint rules that target this cluster of activity\r\n(HAFNIUM) in the public repository:\r\nPotential Credential Access via Windows Utilities\r\nExporting Exchange Mailbox via PowerShell\r\nEncrypting Files with WinRar or 7z\r\nConnection to Commonly Abused Web Services\r\nPsExec Network Connection\r\nSuspicious Process Execution via Renamed PsExec Executable\r\nRemotely Started Services via RPC\r\nUser Account Creation\r\nAdditionally, two new behavioral rules for Elastic Endpoint have been created in light of this newly reported activity:\r\nMicrosoft Exchange Server UM Spawning Suspicious Processes\r\nMicrosoft Exchange Server UM Writing Suspicious Files\r\nOn March 4, 2021, Elastic also released guidance describing Elastic Endgame rules that target this cluster of activity. The\r\nfollowing rules can be enabled:\r\nCreation of an Archive File\r\nEncrypting Files with 7Zip\r\nWebshell Detection\r\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nPage 3 of 5\n\nPsExec Lateral Movement Command\r\nSuspicious PowerShell Downloads\r\nEnumeration of Administrator Accounts\r\nThe following supplemental queries for Elastic Endgame may also be recommended:\r\nMemory Dump via Comsvcs (Endgame EQL):\r\nThe detection logic in Figure 1 (below) identifies suspicious or unexpected use of a native application (“rundll32.exe”) to\r\nperform a process memory dump. This activity may indicate an attempt to obtain process memory from LSASS, which\r\nmay contain credentials.\r\nprocess where subtype.create and process_name = “rundll32.exe” and command_line == “MiniDump full”\r\nFigure 3 - Memory Dump via Comsvcs\r\nDescendants of IIS (Endgame EQL):\r\nThe detection logic in Figure 2 (below) identifies unusual descendants of the IIS webserver process (“w3wp.exe”). This\r\nactivity may indicate commands or other observable behaviors related to the use of a persistent webshell.\r\nprocess where subtype.create and parent_process_name = “w3wp.exe”\r\nFigure 4 - Descendants of IIS\r\nCreation of an Archive File (Endgame EQL):\r\nThe detection logic in Figure 3 (below) identifies file operations related to common archiving utilities. This activity may\r\nindicate an attempt to obtain process memory from LSASS, which may contain credentials.\r\nfile where not subtype.delete and wildcard(file_name, “.7z”, “.rar”)\r\nFigure 5 - Creation of an Archive File\r\nDefensive recommendations\r\n1. Review and implement the above detection logic within your environment using technology such as Elastic\r\nEndpoint, Winlogbeat, Filebeat, Packetbeat, or Network Security Monitoring (NSM) platforms such as Zeek or\r\nSuricata.\r\n2. Review and ensure that you have deployed the latest Microsoft Security Updates for Exchange Server, consider\r\nother recommendations from Microsoft for Exchange hardening.\r\n3. Maintain backups of your critical systems to aid in quick recovery.\r\n4. Perform routine vulnerability scans of your systems and patch identified vulnerabilities.\r\nReferences\r\n1. CVE-2021-26855 | Microsoft Server Remote Code Execution Vulnerability\r\n2. CVE-2021-26857 | Microsoft Server Remote Code Execution Vulnerability\r\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nPage 4 of 5\n\n3. CVE-2021-26858 | Microsoft Server Remote Code Execution Vulnerability\r\n4. CVE-2021-27065 | Microsoft Server Remote Code Execution Vulnerability\r\n5. HAFNIUM targeting Exchange Servers with 0-day exploits\r\nhttps://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/\r\n6. Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities\r\nIndicators of Compromise\r\nTable 1 describes atomic indicators of compromise (IOCs) observed in this intrusion-set. IOCs observed by Elastic have\r\nbeen included for the community, and don't represent all IOCs associated with HAFNIUM or HAFNIUM-inspired\r\nintrusions.\r\nArtifact Note SHA256\r\n1.bat\r\nBatch Script,\r\nautomates\r\ndownload and\r\nexecution\r\nNot recovered\r\n[shellcode] Encrypted object 4e3b7cb4cebe2b00645dda08a229f6fdc914a46968444c4afc99e675c926c8a2\r\nopera_browser.exe\r\nLegitimate Opera\r\nbrowser\r\napplication\r\n5aa7c379eb054a745d3c187f877fea6fe2b9bd3792365714a8a52c2504d4ac07\r\nopera_browser.dll\r\nMalicious DLL,\r\nside-loaded by\r\nopera_browser.exe\r\nb212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff\r\n86.105.18[.]116\r\nStaging site, hosts\r\nfiles used in this\r\nactivity cluster\r\nN/A\r\nTable 1 - Indicators of Compromise\r\nSource: https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nhttps://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
	],
	"report_names": [
		"266289"
	],
	"threat_actors": [
		{
			"id": "7c969685-459b-4c93-a788-74108eab6f47",
			"created_at": "2023-01-06T13:46:39.189751Z",
			"updated_at": "2026-04-10T02:00:03.241102Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"Red Dev 13",
				"Silk Typhoon",
				"MURKY PANDA",
				"ATK233",
				"G0125",
				"Operation Exchange Marauder"
			],
			"source_name": "MISPGALAXY:HAFNIUM",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "2864e40a-f233-4618-ac61-b03760a41cbb",
			"created_at": "2023-12-01T02:02:34.272108Z",
			"updated_at": "2026-04-10T02:00:04.97558Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "ETDA:WildCard",
			"tools": [
				"RustDown",
				"SysJoker"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "2704d770-43b4-4bc4-8a5a-05df87416848",
			"created_at": "2022-10-25T15:50:23.306305Z",
			"updated_at": "2026-04-10T02:00:05.296581Z",
			"deleted_at": null,
			"main_name": "HAFNIUM",
			"aliases": [
				"HAFNIUM",
				"Operation Exchange Marauder",
				"Silk Typhoon"
			],
			"source_name": "MITRE:HAFNIUM",
			"tools": [
				"Tarrask",
				"ASPXSpy",
				"Impacket",
				"PsExec",
				"China Chopper"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e",
			"created_at": "2023-11-30T02:00:07.299845Z",
			"updated_at": "2026-04-10T02:00:03.484788Z",
			"deleted_at": null,
			"main_name": "WildCard",
			"aliases": [],
			"source_name": "MISPGALAXY:WildCard",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "529c1ae9-4579-4245-86a6-20f4563a695d",
			"created_at": "2022-10-25T16:07:23.702006Z",
			"updated_at": "2026-04-10T02:00:04.71708Z",
			"deleted_at": null,
			"main_name": "Hafnium",
			"aliases": [
				"G0125",
				"Murky Panda",
				"Red Dev 13",
				"Silk Typhoon"
			],
			"source_name": "ETDA:Hafnium",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434677,
	"ts_updated_at": 1775826685,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/db623a5ac56c35636f8e7e92a67e3aafa34a6f6d.pdf",
		"text": "https://archive.orkl.eu/db623a5ac56c35636f8e7e92a67e3aafa34a6f6d.txt",
		"img": "https://archive.orkl.eu/db623a5ac56c35636f8e7e92a67e3aafa34a6f6d.jpg"
	}
}