YARA Signatures for Identifying HAFNIUM Attack on Exchange Servers

Protiviti has assessed the YARA rules and verified that they accurately address the indicators known on March 2, 2021. Whenever using external links as a source, Protiviti recommends that all clients practice caution when ingesting open source data, as its usage is at their own risk. Thanks to Florian Roth for making the following rule available on GitHub under the MIT license. (Note: "artefact" spelling is correct as used in the script.)

rule EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 {

meta:

description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065"

author = "Florian Roth"

reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"

date = "2021-03-02"

strings:

$s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword

condition:

1 of them

}

rule EXPL_LOG_CVE_2021_26858_Exchange_Forensic_Artefacts_Mar21_1 {

meta:

description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-26858"

author = "Florian Roth"

reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"

date = "2021-03-02"

strings:

$xr1 = /POST[^\n]{1,40}(\/owa\/auth\/Current\/themes\/resources\/logon\.css|\/owa\/auth\/Current\/themes\/resources\/owafont_ja\.css|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif|\/owa\/auth\/Current\/themes\/resources\/owafont_ko\.css|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiBold\.eot|\/owa\/auth\/Current\/themes\/resources\/SegoeUI-SemiLight\.ttf|\/owa\/auth\/Current\/themes\/resources\/lgnbotl\.gif)/

condition:

$xr1

}

rule APT_HAFNIUM_Forensic_Artefacts_Mar21_1 {

meta:

description = "Detects forensic artefacts found in HAFNIUM intrusions"

author = "Florian Roth"

reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"

date = "2021-03-02"

strings:

$s1 = "lsass.exe C:\\windows\\temp\\lsass" ascii wide fullword

$s2 = "c:\\ProgramData\\it.zip" ascii wide fullword

$s3 = "powercat.ps1'); powercat -c" ascii wide fullword

condition:

1 of them

}

rule HKTL_PS1_PowerCat_Mar21 {

meta:

description = "Detects PowerCat hacktool"

author = "Florian Roth"

reference = "https://github.com/besimorhino/powercat"

date = "2021-03-02"

hash1 = "c55672b5d2963969abe045fe75db52069d0300691d4f1f5923afeadf5353b9d2"

strings:

$x1 = "powercat -l -p 8000 -r dns:10.1.1.1:53:c2.example.com" ascii fullword

$x2 = "try{[byte[]]$ReturnedData = $Encoding.GetBytes((IEX $CommandToExecute 2>&1 | Out-String))}" ascii fullword

$s1 = "Returning Encoded Payload..." ascii

$s2 = "$CommandToExecute =" ascii fullword

$s3 = "[alias(\"Execute\")][string]$e=\"\"," ascii

condition:

uint16(0) == 0x7566 and

filesize < 200KB and

1 of ($x*) or 3 of them

}

rule HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine {

meta:

description = "Detects PowerShell Oneliner in Nishang's repository"

author = "Florian Roth"

reference = "https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLine.ps1"

date = "2021-03-03"

hash1 = "2f4c948974da341412ab742e14d8cdd33c1efa22b90135fcfae891f08494ac32"

strings:

$s1 = "=([text.encoding]::ASCII).GetBytes((iex $" ascii wide

$s2 = ".GetStream();[byte[]]$" ascii wide

$s3 = "New-Object Net.Sockets.TCPClient('" ascii wide

condition:

all of them

}

rule WEBSHELL_ASPX_SimpleSeeSharp : Webshell Unclassified {

meta:

author = "[email protected]"

date = "2021-03-01"

description = "A simple ASPX Webshell that allows an attacker to write further files to disk."

hash = "893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2"

reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"

strings:

$header = "<%@ Page Language=\"C#\" %>"

$body = "<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine"

condition:

$header at 0 and

$body and

filesize < 1KB

}

rule WEBSHELL_ASPX_reGeorgTunnel : Webshell Commodity {

meta:

author = "[email protected]"

date = "2021-03-01"

description = "variation on reGeorgtunnel"

hash = "406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928"

reference = "https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx"

strings:

$s1 = "System.Net.Sockets"

$s2 = "System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get"

$t1 = ".Split('|')"

$t2 = "Request.Headers.Get"

$t3 = ".Substring("

$t4 = "new Socket("

$t5 = "IPAddress ip;"

condition:

all of ($s*) or

all of ($t*)

}

rule WEBSHELL_ASPX_SportsBall : Webshell {

meta:

author = "[email protected]"

date = "2021-03-01"

description = "The SPORTSBALL webshell allows attackers to upload files or execute commands on the system."

hash = "2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a"

reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"

strings:

$uniq1 = "HttpCookie newcook = new HttpCookie(\"fqrspt\", HttpContext.Current.Request.Form"

$uniq2 = "ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE="

$var1 = "Result.InnerText = string.Empty;"

$var2 = "newcook.Expires = DateTime.Now.AddDays("

$var3 = "System.Diagnostics.Process process = new System.Diagnostics.Process();"

$var4 = "process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\""

$var5 = "else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\""

$var6 = "<input type=\"submit\" value=\"Upload\" />"

condition:

any of ($uniq*) or

all of ($var*)

}

Search in Protiviti.com

YARA Signatures for Identifying HAFNIUM Attack on Exchange Servers