In light of recent zero day vulnerabilities and exploitation in the wild against Microsoft Exchange Server 2010, 2013, 2016 and 2019 RocketCyber has created a dedicated app to detect indicators of compromise associated with the exploitation of the following vulnerabilities:
What This App Does
This app specifically detects if Exchange Server is installed on the device, then detects whether or not the patch associated with the CVE's is installed. If the patch is not installed an Incident will be generated for the device.
After checking the patch status of the device, the app will perform a series of detections looking for indicators of compromise (IOCs) related to active exploitation of the vulnerabilities. These IOCs include the following:
- Log file analysis of the exchange and IIS web logs looking for IOCs
- Analysis of web content files, .aspx, .php etc looking for web shells that may have been dropped.
For each IOC detected, an Incident will be created.
The app scans every hour for IOCs and will report new items as detected.
Other RocketApps that assist in detecting Hafnium Exploitation
The Advanced Breach detection app has advanced PowerShell detection capabilities for variants of Nishang and Powercat scripts used in these attacks.
How to Enable This App
From the left hand navigation menu click on App Store
Scroll down until you see the Microsoft Exchange Hafnium Exploit Detection app.
Switch the slider to ON
The app will now be enabled on the agents deployed in the network and start detecting for these IOCs and patch status.