Microsoft Exchange Hafnium Exploit Detection App

 

In light of recent zero day vulnerabilities and exploitation in the wild against Microsoft Exchange Server 2010, 2013, 2016 and 2019 RocketCyber has created a dedicated app to detect indicators of compromise associated with the exploitation of the following vulnerabilities:

 

What This App Does

This app specifically detects if Exchange Server is installed on the device, then detects whether or not the patch associated with the CVE's is installed. If the patch is not installed an Incident will be generated for the device.

After checking the patch status of the device, the app will perform a series of detections looking for indicators of compromise (IOCs) related to active exploitation of the vulnerabilities. These IOCs include the following:

  • Log file analysis of the exchange and IIS web logs looking for IOCs
  • Analysis of web content files, .aspx, .php etc looking for web shells that may have been dropped.

For each IOC detected, an Incident will be created.

The app scans every hour for IOCs and will report new items as detected. 

 

Other RocketApps that assist in detecting Hafnium Exploitation

The Advanced Breach detection app has advanced PowerShell detection capabilities for variants of Nishang and Powercat scripts used in these attacks.

 

How to Enable This App

Screen_Shot_2021-03-08_at_12.06.17_PM.png

 

From the left hand navigation menu click on App Store

Screen_Shot_2021-03-08_at_12.08.30_PM.png

Scroll down until you see the Microsoft Exchange Hafnium Exploit Detection app.

Switch the slider to ON

 

The app will now be enabled on the agents deployed in the network and start detecting for these IOCs and patch status.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us
Provide feedback for the Documentation team!