Techniques
Sample rules
MS Exchange Mailbox Replication service writing Active Server Pages
- source: splunk
- technicques:
- T1133
- T1190
- T1505.003
Description
The following analytic identifies the creation of suspicious .aspx files in specific directories associated with Exchange exploitation by the HAFNIUM group and the ProxyShell vulnerability. It detects this activity by monitoring the MSExchangeMailboxReplication.exe process, which typically does not write .aspx files. This behavior is significant as it may indicate an active exploitation attempt on Exchange servers. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary code, or maintain persistence within the environment. Immediate investigation and remediation are crucial to prevent further compromise.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=MSExchangeMailboxReplication.exe by _time span=1h Processes.process_id Processes.process_name Processes.process_guid Processes.dest
| `drop_dm_object_name(Processes)`
| join process_guid, _time [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name="*.aspx" by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| fields _time dest file_create_time file_name file_path process_name process_path process process_guid]
| dedup file_create_time
| table dest file_create_time, file_name, file_path, process_name
| `ms_exchange_mailbox_replication_service_writing_active_server_pages_filter`
Detect Exchange Web Shell
- source: splunk
- technicques:
- T1133
- T1190
- T1505.003
Description
The following analytic identifies the creation of suspicious .aspx files in known drop locations for Exchange exploitation, specifically targeting paths associated with HAFNIUM group and vulnerabilities like ProxyShell and ProxyNotShell. It leverages data from the Endpoint datamodel, focusing on process and filesystem events. This activity is significant as it may indicate a web shell deployment, a common method for persistent access and remote code execution. If confirmed malicious, attackers could gain unauthorized access, execute arbitrary commands, and potentially escalate privileges within the Exchange environment.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\HttpProxy\\owa\\auth\\*", "*\\inetpub\\wwwroot\\aspnet_client\\*", "*\\HttpProxy\\OAB\\*") Filesystem.file_name IN( "*.aspx", "*.ashx") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_exchange_web_shell_filter`
Windows Office Product Dropped Cab or Inf File
- source: splunk
- technicques:
- T1566.001
Description
The following analytic detects Office products writing .cab or .inf files, indicative of CVE-2021-40444 exploitation. It leverages the Endpoint.Processes and Endpoint.Filesystem data models to identify Office applications creating these file types. This activity is significant as it may signal an attempt to load malicious ActiveX controls and download remote payloads, a known attack vector. If confirmed malicious, this could lead to remote code execution, allowing attackers to gain control over the affected system and potentially compromise sensitive data.
Detection logic
| tstats prestats=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes where `process_office_products` by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| tstats prestats=t append=t `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_name IN ("*.cab", "*.inf") by Filesystem.action Filesystem.dest Filesystem.file_access_time Filesystem.file_create_time Filesystem.file_hash Filesystem.file_modify_time Filesystem.file_name Filesystem.file_path Filesystem.file_acl Filesystem.file_size Filesystem.process_guid Filesystem.process_id Filesystem.user Filesystem.vendor_product
| `drop_dm_object_name(Filesystem)`
| table action dest original_file_name parent_process parent_process_exec parent_process_guid parent_process_id parent_process_name parent_process_path process process_exec process_guid process_hash process_id process_integrity_level process_name process_path user user_id vendor_product file_access_time file_create_time file_hash file_modify_time file_name file_path file_acl file_size firstTime lastTime
| stats values(action) as action values(dest) as dest values(original_file_name) as original_file_name values(parent_process) as parent_process values(parent_process_exec) as parent_process_exec values(parent_process_guid) as parent_process_guid values(parent_process_id) as parent_process_id values(parent_process_name) as parent_process_name values(parent_process_path) as parent_process_path values(process) as process values(process_exec) as process_exec values(process_hash) as process_hash values(process_id) as process_id values(process_integrity_level) as process_integrity_level values(process_name) as process_name values(process_path) as process_path values(user) as user values(user_id) as user_id values(vendor_product) as vendor_product values(file_access_time) as file_access_time values(file_create_time) as file_create_time values(file_hash) as file_hash values(file_modify_time) as file_modify_time values(file_name) as file_name values(file_path) as file_path values(file_acl) as file_acl values(file_size) as file_size by process_guid
| where isnotnull(process) AND isnotnull(file_name)
| `windows_office_product_dropped_cab_or_inf_file_filter`
Windows MOVEit Transfer Writing ASPX
- source: splunk
- technicques:
- T1190
- T1133
Description
The following analytic detects the creation of new ASPX files in the MOVEit Transfer application’s “wwwroot” directory. It leverages endpoint data on process and filesystem activity to identify processes responsible for creating these files. This activity is significant as it may indicate exploitation of a critical zero-day vulnerability in MOVEit Transfer, used by threat actors to install malicious ASPX files. If confirmed malicious, this could lead to exfiltration of sensitive data, including user credentials and file metadata, posing a severe risk to the organization’s security.
Detection logic
| tstats `security_content_summariesonly` count FROM datamodel=Endpoint.Processes where Processes.process_name=System by _time span=1h Processes.process_id Processes.process_name Processes.dest
| `drop_dm_object_name(Processes)`
| join process_guid, _time [
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\MOVEitTransfer\\wwwroot\\*") Filesystem.file_name IN("*.aspx", "*.ashx", "*.asp*") OR Filesystem.file_name IN ("human2.aspx","_human2.aspx") by _time span=1h Filesystem.dest Filesystem.file_create_time Filesystem.file_name Filesystem.file_path
| `drop_dm_object_name(Filesystem)`
| fields _time dest file_create_time file_name file_path process_name process_path process]
| dedup file_create_time
| table dest file_create_time, file_name, file_path, process_name
| `windows_moveit_transfer_writing_aspx_filter`