HAFNIUM - Exchange 0-day exploits

This playbook includes the following tasks: Collect indicators to be used in your threat hunting process Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities Discover IOCs related to the attack Query firewall logs to detect malicious network activity Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0). Block indicators Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Sources: https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Rapid Breach Response · 62 tasks · 1 input · 0 outputs

Inputs

  • BlockIndicatorsAutomatically — Whether to automatically indicators involved with HAFNIUM exploits

Commands used

expanse-get-issues extractIndicators linkIncidents setIndicators splunk-search

Flowchart

yes yes No Yes yes No Yes yes Qradar Splunk Start Start Collect and Enrich IOCs Collect and Enrich IOCs Retrieve IOCs from Microsoft blog - http Retrieve IOCs from Micros... http Retrieve IOCs from Volexity blog - http Retrieve IOCs from Volexi... http Tag Indicators Tag Indicators Tag CVE's indicators - setIndicators Tag CVE's indicators setIndicators Tag IP's indicators - setIndicators Tag IP's indicators setIndicators Tag file hashes indicators - setIndicators Tag file hashes indicators setIndicators Hunt IOCs Hunt IOCs Search Endpoint by CVE - Generic - Search Endpoint by CVE - Generic Search Endpoint by CVE - ... Search Endpoint by CVE - Generic Search Endpoints By Hash - Generic V2 - Search Endpoints By Hash - Generic V2 Search Endpoints By Hash ... Search Endpoints By Hash - Ge... Palo Alto Networks - Hunting And Threat Detection - Palo Alto Networks - Hunting And Threat Detection Palo Alto Networks - Hunt... Palo Alto Networks - Hunting ... Investigate further Investigate further Done Done Search XDR incidents for HAFNIUM activity - SearchIncidentsV2 Search XDR incidents for ... SearchIncidentsV2 Remediation Remediation Block Indicators - Generic v2 - Block Indicators - Generic v2 Block Indicators - Generi... Block Indicators - Generic v2 Expanse Issues Search Expanse Issues Search Is Expanse enabled? Is Expanse enabled? Search Activities Related To the 0-Day Exploits Search Activities Related... XDR Related Incidents XDR Related Incidents Search issues related to Exchange and OWA - expanse-get-issues Search issues related to ... expanse-get-issues Retrieve indicators from Azure GitHub - http Retrieve indicators from ... http Block indicators automatically? Block indicators automati... Manually block indicators Manually block indicators Check Patch Level Check Patch Level Check patch levels of Exchange Server Check patch levels of Exc... Set Exchange patched flag to true - Set Set Exchange patched flag... Set Set Exchange patched flag to false - Set Set Exchange patched flag... Set Is the Exchange Server patched? Is the Exchange Server pa... Is it possible to patch the Exchange Server? Is it possible to patch t... Install March 2021 Exchange security patches Install March 2021 Exchan... Mitigation Mitigation Interim mitigations Interim mitigations Is Cortex XDR enabled? Is Cortex XDR enabled? Manually Hunt Windows Event Logs Manually Hunt Windows Eve... Nishang PowerShell framework Nishang PowerShell framework Powercat detection Powercat detection UMWorkerProcess.exe in Exchange creating abnormal content UMWorkerProcess.exe in Ex... UMWorkerProcess.exe spawning UMWorkerProcess.exe spawning Hunt Windows Events Hunt Windows Events Nishang PowerShell event 4104 - splunk-search Nishang PowerShell event ... splunk-search Powercat detection - splunk-search Powercat detection splunk-search UMWorkerProcess.exe in Exchange creating abnormal content - splunk-search UMWorkerProcess.exe in Ex... splunk-search UMWorkerProcess.exe spawning - splunk-search UMWorkerProcess.exe spawning splunk-search IIS authentication bypass vulnerability IIS authentication bypass... IIS authentication bypass vulnerability - splunk-search IIS authentication bypass... splunk-search Is SIEM Enabled? Is SIEM Enabled? Nishang PowerShell event 4688 - splunk-search Nishang PowerShell event ... splunk-search SIEM Indicators Hunting SIEM Indicators Hunting Splunk Indicator Hunting - Splunk Indicator Hunting Splunk Indicator Hunting Splunk Indicator Hunting Search for related Expanse incident - SearchIncidentsV2 Search for related Expans... SearchIncidentsV2 Link related incidents - linkIncidents Link related incidents linkIncidents QRadar Indicator Hunting V2 - QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 QRadar Indicator Hunting V2 Hunt Using Splunk Hunt Using Splunk Hunt Using Qradar Hunt Using Qradar QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch QRadarFullSearch - QRadarFullSearch QRadarFullSearch QRadarFullSearch Extract IOCs from blogs - extractIndicators Extract IOCs from blogs extractIndicators