CSEC_PUBLIC/hayabusa
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
a00a114101ab33eda2e75c9cf2ddab57cccea821
hayabusa/rules/sigma/process_creation/win_apt_hafnium.yml
DustInDark 0cfa806baf Feature/addruletype to sigma rule#230 (#235) 
* added ruletype to SIGMA rule #230

* added ruletype to SIGMA rule converter tool #231
2021-11-28 18:14:51 +09:00

95 lines
2.7 KiB
YAML
Raw Blame History

title: Exchange Exploitation Activity
author: Florian Roth
date: 2021/03/09
description: Detects activity observed by different researchers to be HAFNIUM group
activity (or related) on Exchange servers
detection:
SELECTION_1:
EventID: 1
SELECTION_10:
CommandLine: '*Temp\__output*'
SELECTION_11:
CommandLine: '*%TEMP%\execute.bat*'
SELECTION_12:
Image: '*Users\Public\opera\Opera_browser.exe'
SELECTION_13:
Image: '*Opera_browser.exe'
SELECTION_14:
ParentImage:
- '*\services.exe'
- '*\svchost.exe'
SELECTION_15:
Image: '*\ProgramData\VSPerfMon\\*'
SELECTION_16:
CommandLine: '* -t7z *'
SELECTION_17:
CommandLine: '*C:\Programdata\pst*'
SELECTION_18:
CommandLine: '*\it.zip*'
SELECTION_19:
Image: '*\makecab.exe'
SELECTION_2:
CommandLine: '*attrib*'
SELECTION_20:
CommandLine:
- '*Microsoft\Exchange Server\\*'
- '*inetpub\wwwroot*'
SELECTION_21:
CommandLine:
- '*\Temp\xx.bat*'
- '*Windows\WwanSvcdcs*'
- '*Windows\Temp\cw.exe*'
SELECTION_22:
CommandLine: '*\comsvcs.dll*'
SELECTION_23:
CommandLine: '*Minidump*'
SELECTION_24:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_25:
CommandLine: '*dsquery*'
SELECTION_26:
CommandLine: '* -uco *'
SELECTION_27:
CommandLine: '*\inetpub\wwwroot*'
SELECTION_3:
CommandLine: '* +h *'
SELECTION_4:
CommandLine: '* +s *'
SELECTION_5:
CommandLine: '* +r *'
SELECTION_6:
CommandLine: '*.aspx*'
SELECTION_7:
CommandLine: '*schtasks*'
SELECTION_8:
CommandLine: '*VSPerfMon*'
SELECTION_9:
CommandLine: '*vssadmin list shadows*'
condition: (SELECTION_1 and ((SELECTION_2 and SELECTION_3 and SELECTION_4 and SELECTION_5
and SELECTION_6) or (SELECTION_7 and SELECTION_8) or (SELECTION_9 and SELECTION_10)
or SELECTION_11 or SELECTION_12 or (SELECTION_13 and SELECTION_14) or SELECTION_15
or (SELECTION_16 and SELECTION_17 and SELECTION_18) or (SELECTION_19 and SELECTION_20)
or SELECTION_21 or (SELECTION_22 and SELECTION_23 and SELECTION_24) or (SELECTION_25
and SELECTION_26 and SELECTION_27)))
falsepositives:
- Unknown
id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7
level: high
logsource:
category: process_creation
product: windows
modified: 2021/03/16
references:
- https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3
- https://twitter.com/GadixCRK/status/1369313704869834753?s=20
- https://twitter.com/BleepinComputer/status/1372218235949617161
status: experimental
tags:
- attack.persistence
- attack.t1546
- attack.t1053
ruletype: SIGMA
Reference in New Issue View Git Blame Copy Permalink