Detection Coverage of HAFNIUM Activity Reported by Microsoft and Volexity

by Mar 3, 2021

Microsoft as well as Volexity pubslihed reports on activity of an actor named HAFNIUM by Microsoft exploiting at least four zero-day vulnerabilities in Microsoft Exchange services. 

In this blog post we would like to outline the coverage provided by THOR regarding this threat. 

Exploitation

All four vulnerabilities and related exploitation techniques have been unknown to the public and were used by the attackers at least since the beginning of January this year. We wrote YARA signatures to detect the exploitation attempts in Exchange web service logs and published Sigma rule that looks for more indicators in Exchange server logs. 

The new rules will be available on 4th of March.

We recommend scanning with the “–sigma” command line flag to apply Sigma rules during Logscan and Eventlog scanning. 

Web Shells

The mentioned web shells are already covered by existing rules.

Look for the following keywords in THOR log data

  • Webshell_ASP_cmd_3
  • Webshell_lowcov_Nov17_2
  • WEBSHELL_SharPyShell_ASPX
  • Chopper
  • reGeorg
  • Webshell + Tiny

The web shells samples mentioned by Microsoft as a hash cannot be found in public databases (e.g. Virustotal). We can only guess the current coverage and add a new rule to the rule set of tomorrow: 

WEBSHELL_TINY_ASP_Chopper_Mar21_1

Detection rate of some of the web shells on Virustotal:

LSASS Process Memory Dumping

Attackers used procdump and the MiniDump method in comsvcs.dll to dump the process memory of lsass.exe. THOR detects process memory dumps on disk as well as the process dumping attempts in the local Eventlog, if “–sigma” has been used to apply Sigma rules during scanning.

Looks for the following keywords in your THOR Logs:

  • SUSP_LSASS_Dump
  • HKTL_PUA_Procdump
  • HKTL_MiniDump_WriteDump
  • HKTL_AQUARMOURY_Brownie_Jan21_1
  • ‘Suspicious Use of Procdump’ (Sigma)
  • ‘Process Dump via Rundll32 and Comsvcs.dll’ (Sigma)
  • ‘LSASS process memory dump’ (Filename IOC)

PowerShell Tools

The PowerShell tools by Nishang and PowerCat are partly covered by our signatures.

Look for the following keywords:

  • p0wnedPowerCat
  • Nishang
  • ‘Malicious Nishang PowerShell Commandlets’ (Sigma)

We wrote a new rule for PowerCat and Nishangs PowerShell tool to achieve a better coverage:

  • HKTL_PS1_PowerCat_Mar21
  • HKTL_Nishang_PS1_Invoke_PowerShellTcpOneLine

Both new rules will be available on 4th of March.

Remember that you can check THOR’s signature set for certain keywords yourself using the ‘–print-signatures’ command line flag.

About the author:

Florian Roth

Florian Roth serves as the Head of Research and Development at Nextron Systems. With a background in IT security since 2000, he has delved deep into nation-state cyber attacks since 2012. Florian has developed the THOR Scanner and actively engages with the community via his Twitter handle @cyb3rops. He has contributed to open-source projects, including 'Sigma', a generic SIEM rule format, and 'LOKI', an open-source scanner. Additionally, he has shared valuable resources like a mapping of APT groups and operations and an Antivirus Event Analysis Cheat Sheet.

Newsletter

New blog posts
(~1 email/month)

GDPR Cookie Consent with Real Cookie Banner