Analytics Story: HAFNIUM Group

Date: 2021-03-03 ID: beae2ab0-7c3f-11eb-8b63-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Why it matters

On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server. The following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Email servers sending high volume traffic to hosts Email Collection, Remote Email Collection Anomaly
Dump LSASS via procdump Rename LSASS Memory Hunting
Any Powershell DownloadString Command and Scripting Interpreter, PowerShell, Ingress Tool Transfer TTP
Detect Exchange Web Shell Server Software Component, Web Shell, Exploit Public-Facing Application, External Remote Services TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Dump LSASS via procdump LSASS Memory, OS Credential Dumping TTP
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Nishang PowershellTCPOneLine Command and Scripting Interpreter, PowerShell TTP
Ntdsutil Export NTDS NTDS, OS Credential Dumping TTP
PowerShell - Connect To Internet With Hidden Window PowerShell, Command and Scripting Interpreter Hunting
Set Default PowerShell Execution Policy To Unrestricted or Bypass Command and Scripting Interpreter, PowerShell TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1