{"id":9408,"date":"2021-03-03T16:11:16","date_gmt":"2021-03-03T15:11:16","guid":{"rendered":"https:\/\/www.nextron-systems.com\/?p=9408"},"modified":"2022-03-25T14:15:41","modified_gmt":"2022-03-25T13:15:41","slug":"detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity","status":"publish","type":"post","link":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/","title":{"rendered":"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity"},"content":{"rendered":"

[et_pb_section fb_built=”1″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_row _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

Microsoft<\/a> as well as Volexity<\/a> pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services.\u00a0<\/p>\n

In this blog post we would like to outline the coverage provided by THOR regarding this threat.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

Exploitation<\/h1>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

All four vulnerabilities and related exploitation techniques have been unknown to the public and were used by the attackers at least since the beginning of January this year. We wrote YARA signatures to detect the exploitation attempts in Exchange web service logs and published Sigma rule that looks for more indicators in Exchange server logs.\u00a0<\/p>\n

The new rules will be available on 4th of March.<\/p>\n

We recommend scanning with the “–sigma” command line flag to apply Sigma rules during Logscan and Eventlog scanning.\u00a0<\/p>\n

[\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

Web Shells<\/h1>\n

[\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

The mentioned web shells are already covered by existing rules.<\/p>\n

Look for the following keywords in THOR log data<\/p>\n

    \n
  • Webshell_ASP_cmd_3<\/span><\/li>\n
  • Webshell_lowcov_Nov17_2<\/span><\/li>\n
  • WEBSHELL_SharPyShell_ASPX<\/span><\/li>\n
  • Chopper<\/li>\n
  • reGeorg<\/li>\n
  • Webshell + Tiny<\/li>\n<\/ul>\n

    The web shells samples mentioned by Microsoft as a hash cannot be found in public databases (e.g. Virustotal). We can only guess the current coverage and add a new rule to the rule set of tomorrow:\u00a0<\/p>\n

    \n

    WEBSHELL_TINY_ASP_Chopper_Mar21_1<\/span><\/p>\n<\/div>\n

    Detection rate of some of the web shells on Virustotal:<\/p>\n

    [\/et_pb_text][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-03-at-11.45.01.png” title_text=”Screenshot 2021-03-03 at 11.45.01″ _builder_version=”4.9.0″ _module_preset=”default”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-03-at-11.45.11.png” title_text=”Screenshot 2021-03-03 at 11.45.11″ _builder_version=”4.9.0″ _module_preset=”default”][\/et_pb_image][et_pb_image src=”https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2021\/03\/Screenshot-2021-03-03-at-13.39.11.png” title_text=”Screenshot 2021-03-03 at 13.39.11″ _builder_version=”4.9.0″ _module_preset=”default”][\/et_pb_image][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

    LSASS Process Memory Dumping<\/h1>\n

    [\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]Attackers used procdump and the MiniDump method in\u00a0comsvcs.dll to dump the process memory of lsass.exe.\u00a0<\/span>THOR detects process memory dumps on disk as well as the process dumping attempts in the local Eventlog, if “–sigma” has been used to apply Sigma rules during scanning.<\/p>\n

    Looks for the following keywords in your THOR Logs:<\/p>\n

      \n
    • SUSP_LSASS_Dump<\/li>\n
    • HKTL_PUA_Procdump<\/li>\n
    • HKTL_MiniDump_WriteDump<\/li>\n
    • HKTL_AQUARMOURY_Brownie_Jan21_1<\/li>\n
    • ‘Suspicious Use of Procdump’ (Sigma)<\/li>\n
    • ‘Process Dump via Rundll32 and Comsvcs.dll’ (Sigma)<\/li>\n
    • ‘LSASS process memory dump’ (Filename IOC)<\/li>\n<\/ul>\n

      [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row column_structure=”1_4,3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”1_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]<\/p>\n

      PowerShell Tools<\/h1>\n

      [\/et_pb_text][\/et_pb_column][et_pb_column type=”3_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]The PowerShell tools by Nishang and PowerCat are partly covered by our signatures.<\/p>\n

      Look for the following keywords:<\/p>\n

        \n
      • \n
        p0wnedPowerCat<\/span><\/div>\n<\/li>\n
      • \n
        <\/span>Nishang<\/div>\n<\/li>\n
      • ‘Malicious Nishang PowerShell Commandlets’ (Sigma)<\/li>\n<\/ul>\n

        We wrote a new rule for PowerCat and Nishangs PowerShell tool to achieve a better coverage:<\/span><\/p>\n

          \n
        • \n
          HKTL_PS1_PowerCat_Mar21<\/span><\/div>\n<\/li>\n
        • \n
          HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine<\/span><\/div>\n<\/li>\n<\/ul>\n

          Both new rules will be available on 4th of March. [\/et_pb_text][\/et_pb_column][\/et_pb_row][et_pb_row _builder_version=”4.9.0″ _module_preset=”default”][et_pb_column type=”4_4″ _builder_version=”4.9.0″ _module_preset=”default”][et_pb_text _builder_version=”4.9.0″ _module_preset=”default”]Remember that you can check THOR’s signature set for certain keywords yourself using the ‘–print-signatures’ command line flag. [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"

          Microsoft as well as Volexity pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services.\u00a0 In this blog post we would like to outline the coverage provided by THOR regarding this threat.\u00a0ExploitationAll four vulnerabilities and related exploitation techniques have been unknown to the public and were used by the attackers at least since the beginning of January this year. We wrote YARA signatures to detect the exploitation attempts in Exchange web service logs and published Sigma rule that looks for more indicators in Exchange server logs.\u00a0 The new rules will be available on 4th of March. We recommend scanning with the “–sigma” command line flag to apply Sigma rules during Logscan and Eventlog scanning.\u00a0Web ShellsThe mentioned web shells are already covered by existing rules. Look for the following keywords in THOR log data Webshell_ASP_cmd_3 Webshell_lowcov_Nov17_2 WEBSHELL_SharPyShell_ASPX Chopper reGeorg Webshell + Tiny The web shells samples mentioned by Microsoft as a hash cannot be found in public databases (e.g. Virustotal). We can only guess the current coverage and add a new rule to the rule set of tomorrow:\u00a0 WEBSHELL_TINY_ASP_Chopper_Mar21_1 Detection rate of some of the web shells on Virustotal:LSASS Process […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[327],"tags":[605,13,603,602,118,7,604,48],"class_list":["post-9408","post","type-post","status-publish","format-standard","hentry","category-alert","tag-0days","tag-detection","tag-exchange","tag-hafnium","tag-iocs","tag-scanner","tag-vulnerabilities","tag-yara"],"yoast_head":"\nDetection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity - Nextron Systems<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\"},\"author\":{\"name\":\"Florian Roth\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\"},\"headline\":\"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity\",\"datePublished\":\"2021-03-03T15:11:16+00:00\",\"dateModified\":\"2022-03-25T13:15:41+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\"},\"wordCount\":801,\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"keywords\":[\"0days\",\"detection\",\"Exchange\",\"HAFNIUM\",\"IOCs\",\"scanner\",\"Vulnerabilities\",\"YARA\"],\"articleSection\":[\"Alert\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\",\"url\":\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\",\"name\":\"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity - Nextron Systems\",\"isPartOf\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#website\"},\"datePublished\":\"2021-03-03T15:11:16+00:00\",\"dateModified\":\"2022-03-25T13:15:41+00:00\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/\"]}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.nextron-systems.com\/#website\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"name\":\"Nextron Systems\",\"description\":\"We Detect Hackers\",\"publisher\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.nextron-systems.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.nextron-systems.com\/#organization\",\"name\":\"Nextron Systems GmbH\",\"url\":\"https:\/\/www.nextron-systems.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"contentUrl\":\"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png\",\"width\":260,\"height\":260,\"caption\":\"Nextron Systems GmbH\"},\"image\":{\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919\",\"name\":\"Florian Roth\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g\",\"caption\":\"Florian Roth\"},\"description\":\"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.\",\"url\":\"https:\/\/www.nextron-systems.com\/author\/florian\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity - Nextron Systems","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/#article","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/"},"author":{"name":"Florian Roth","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919"},"headline":"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity","datePublished":"2021-03-03T15:11:16+00:00","dateModified":"2022-03-25T13:15:41+00:00","mainEntityOfPage":{"@id":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/"},"wordCount":801,"publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"keywords":["0days","detection","Exchange","HAFNIUM","IOCs","scanner","Vulnerabilities","YARA"],"articleSection":["Alert"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/","url":"https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/","name":"Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity - Nextron Systems","isPartOf":{"@id":"https:\/\/www.nextron-systems.com\/#website"},"datePublished":"2021-03-03T15:11:16+00:00","dateModified":"2022-03-25T13:15:41+00:00","inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.nextron-systems.com\/2021\/03\/03\/detection-coverage-of-hafnium-activity-reported-by-microsoft-and-volaxity\/"]}]},{"@type":"WebSite","@id":"https:\/\/www.nextron-systems.com\/#website","url":"https:\/\/www.nextron-systems.com\/","name":"Nextron Systems","description":"We Detect Hackers","publisher":{"@id":"https:\/\/www.nextron-systems.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.nextron-systems.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.nextron-systems.com\/#organization","name":"Nextron Systems GmbH","url":"https:\/\/www.nextron-systems.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","contentUrl":"https:\/\/www.nextron-systems.com\/wp-content\/uploads\/2017\/11\/Nextron_0.2s_inv_symbol_only.png","width":260,"height":260,"caption":"Nextron Systems GmbH"},"image":{"@id":"https:\/\/www.nextron-systems.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/4fd503007d60aabaf1ae747502f36919","name":"Florian Roth","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.nextron-systems.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0dfaa838ce5d82e2e7bfa75ed3f43ae5?s=96&d=mm&r=g","caption":"Florian Roth"},"description":"Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.","url":"https:\/\/www.nextron-systems.com\/author\/florian\/"}]}},"_links":{"self":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9408","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/comments?post=9408"}],"version-history":[{"count":14,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9408\/revisions"}],"predecessor-version":[{"id":9435,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/posts\/9408\/revisions\/9435"}],"wp:attachment":[{"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/media?parent=9408"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/categories?post=9408"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nextron-systems.com\/wp-json\/wp\/v2\/tags?post=9408"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}