This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Blog

Subscribe to the official RSA NetWitness Platform blog for information about new product features, industry insights, best practices, and more.
  • RSA Link
  • :
  • Products
  • :
  • RSA NetWitness Platform
  • :
  • Blogs
  • :
  • Hafnium/Microsoft Exchange Breach Detection with N...

Hafnium/Microsoft Exchange Breach Detection with NetWitness

HalimAbouzeid
Respected Contributor HalimAbouzeid Respected Contributor
Respected Contributor
1 0 401
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
4 weeks ago

Hafnium, a state-sponsored APT group, is believed to have potentially compromised tens of thousands of organizations globally by leveraging multiple 0-day vulnerabilities (such as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) affecting on-prem Microsoft Exchange servers.

 

If you are running an on-prem version of Microsoft Exchange, and specifically have OWA enabled, it is highly recommended to check your historical data (logs, network and endpoint) for any indicator of compromise.

 

In this post, we will look at some of different IOCs and queries that can be performed on NetWitness to help you start an investigation and potentially identify if your environment has been impacted by this attack.

These queries are initial queries, and further queries, filtering and investigations are needed to confirm a breach, such as filtering specifically on events related to your Exchange server's IP addresses, filtering out unsuccessful scanning activity (such as those returning specific HTTP error codes, empty payloads ….), or similar behaviors that might be known and legitimate in your specific environment.  

 

The queries and details of the attack are based on the report published by Microsoft available at the following URL: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

 

 

 

Pre-Query

Queries mentioned in this document depend on the type of data collected on NetWitness:

  • NetWitness Logs: logging events from your Exchange’s IIS server
  • NetWitness Network: network events based on full packet capture where OWA traffic is not encrypted.
  • NetWitness Endpoint: Events based on the Endpoint agents running on the Exchange server

 

For all queries mentioned in this document, start by filtering events specifically targeting your Exchange Servers’ IP addresses.

 

NetWitness Network:

ip.dst = <exchange_ip> || alias.ip = <exchange_ip>

 

NetWitness Logs:

ip.dst = <exchange_ip> || device.ip = <exchange_ip>

 

NetWitness Endpoint:

ip.src=<exchange_ip> || ip.dst = <exchange_ip>

 

 

 

Authentication Bypass

The threat actor exploits the vulnerabilities to bypass authentication on Microsoft Exchange. This requires sending specially crafted HTTP POST requests, such as:

  • POST /owa/auth/Current/themes/resources/
  • POST /ecp/default.flt
  • POST /ecp/main.css
  • POST /ecp/<single character>.js

NetWitness Logs/Network Query:

 

action = 'post' && (directory = '/owa/auth/Current/themes/resources/' || (directory = '/ecp/' && filename = 'main.css','default.flt'))

 

 

One of the POST requests targets JavaScript file with a single character filename (“/ecp/<single character>.js”). This can be queried using RegEx, but it should be noted that such queries can be slower when executed on large sets of data and should be used with caution.

 

NetWitness Logs/Network RegEx Query:

action = 'post' && directory = '/ecp/' && filename regex '^.\.js'

 

 

 

The following are User-Agents have been observed initiating the HTTP POST requests:

  • DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
  • facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
  • Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
  • Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
  • Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
  • Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
  • Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36
  • ExchangeServicesClient/0.0.0.0
  • python-requests/2.19.1
  • python-requests/2.25.1

 

NetWitness Logs/Network Query:

 

user.agent = 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)','facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)','Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)','Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)','Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html','Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)','Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)','Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)','Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36','ExchangeServicesClient/0.0.0.0','python-requests/2.19.1','python-requests/2.25.1'

 

 

The above queries can be combined to filter further any potential results.

 

 

 

Web Shells

Once the threat actor compromises the environment, they have been seen deploying Web Shells on the compromised server. In some cases, the web shell has been added to existing legitimate aspx files, and therefore it is recommended to check the date when those files were last modified to identify any potential anomaly or unexpected changes.

Some of the identified web shell filenames include:

  • web.aspx
  • help.aspx
  • document.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • aspnet_www.aspx
  • aspnet_client.aspx
  • xx.aspx
  • shell.aspx
  • aspnet_iisstart.aspx
  • one.aspx
  • errorcheck.aspx
  • t.aspx
  • discover.aspx
  • aspnettest.aspx
  • error.aspx
  • shellex.aspx
  • supp0rt.aspx
  • HttpProxy.aspx
  • <8 random characters>.aspx

 

NetWitness Logs/Network Query:

 

filename = 'web.aspx','help.aspx','document.aspx','errorEE.aspx','errorEEE.aspx','errorEW.aspx','errorFF.aspx','healthcheck.aspx','aspnet_www.aspx','aspnet_client.aspx','xx.aspx','shell.aspx','aspnet_iisstart.aspx','one.aspx','errorcheck.aspx','t.aspx','discover.aspx','aspnettest.aspx','error.aspx','shellex.aspx','supp0rt.aspx','HttpProxy.aspx'

 

 

One of the observed .aspx filenames is a sequence of 8 randomly generated characters. We can use regular expressions to identify filenames with exactly 8 characters. The analyst should manually identify which of the results look randomly generated as the query could typically return legitimate filenames that happen to be 8 character long.

As mentioned above, whenever using regular expressions on large sets of data, do expect slower query times and use with caution.

  

NetWitness Logs/Network RegEx Query: 

filename regex '^[a-zA-Z0-9]{8}\.aspx'

 

 

Filtering Out Scanning Activity:
As this breach became public, increased scanning activity has been observed by multiple different threat actors scanning for already installed web shells, and it’s therefore possible to see traffic targeting a “blacklisted” filename that might not exist in your environment, which would create unnecessary noise. As these would typically return an HTTP client error status code, and to help filter out some of these unwanted unsuccessful scanning events, the above queries can be combined with the following one to only look at events that didn’t return an HTTP error code:

error !exists

 

 

 

More generally, it is possible to leverage NetWitness Endpoint to look at behaviors of the web service process (“w3wp.exe”) that could be suspicious. For example, the below behaviors are often associated with Web Shell activity.

 

NetWitness Endpoint Query:

boc = 'http daemon runs command prompt','http daemon runs powershell','http daemon runs reconnaissance tool' || analysis.file = 'http daemon writes executable'

 

 

 

Then, access to the web shells has been seen originating from specific user agents, such as:

  • antSword/v2.1
  • Googlebot/2.1+(+http://www.googlebot.com/bot.html)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

 

NetWitness Logs/Network Query:

 

user.agent = 'antSword/v2.1','Googlebot/2.1+(+http://www.googlebot.com/bot.html)','Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)'

 

 

 

 

Some of the IP addresses seen to have been used by the Threat Actor:

  • 103.77.192.219
  • 104.140.114.110
  • 104.250.191.110
  • 108.61.246.56
  • 149.28.14.163
  • 157.230.221.198
  • 167.99.168.251
  • 185.250.151.72
  • 192.81.208.169
  • 203.160.69.66
  • 211.56.98.146
  • 5.254.43.18
  • 80.92.205.81
  • 165.232.154.116
  • 182.18.152.105
  • 89.34.111.11
  • 86.105.18.116
  • 5.2.69.14
  • 91.192.103.43

It should be noted that some of these IP addresses are linked to VPN services and to the Tor network, and therefore traffic from these IP addresses might not always be specifically linked to this attack campaign.

 

NetWitness Query:

 

ip.all = 103.77.192.219,104.140.114.110,104.250.191.110,108.61.246.56,149.28.14.163,157.230.221.198,167.99.168.251,185.250.151.72,192.81.208.169,203.160.69.66,211.56.98.146,5.254.43.18,80.92.205.81,165.232.154.116,182.18.152.105,89.34.111.11,86.105.18.116,5.2.69.14,91.192.103.43

 

 

 

 

Password Dumping

After exploiting the system, they have been seen using procdump to dump the LSASS process memory and compromise user credentials.

 

NetWitness Endpoint Query:

 

filename.all = 'procdump64.exe','procdump.exe' && param.all contains 'lsass.exe'

 

 

 

More generally, NetWitness Endpoint can detect password dumping activity using the following query:

 

attack.technique = 'credential dumping'

 

 

 

 

Data Exfiltration

The threat actor uses 7zip and WinRar to compress stolen data before exfiltrating it. They have been seen storing the file under the “C:\ProgramData\” folder.

 

NetWitness Endpoint Query:

 

filename.all = '7z.exe','rar.exe' && param.all contains 'programdata'

 

 

 

 

Reverse Shell

The threat actor has also used the Nishang PowerShell Framework to establish a reverse shell.

 

NetWitness Endpoint Query:

 

filename.all = 'powershell.exe','powershell_ise.exe' && param.all contains 'Net.Sockets.TCPClient'

 

 

Note that this query doesn’t specifically identify the use of Nishang but would filter on PowerShell events that should be investigated further.

 

 

 

Download of Tools from GitHub

The Attacker has also been seen downloading additional tools from GitHub, such as powercat, which is a PowerShell version of Netcat.

 

NetWitness Endpoint Query:

 

filename.all = 'powershell.exe','powershell_ise.exe','cmd.exe' && param.all contains 'powercat'

 

 

NetWitness Logs/Network query:

 

alias.host = 'raw.githubusercontent.com' && filename = 'powercat.ps1'

 

 

 

 

NetWitness would detect some of these behaviors out of the box without the need for these specific queries to be done manually. In those cases, the information would directly be available in the “ioc” (Indicator of Compromise) and “boc” (Behavior of Compromise) meta keys.

 

For more details on investigating additional techniques used by APT groups: https://community.rsa.com/t5/rsa-netwitness-platform-blog/profiling-attackers-series/ba-p/517665

 

Labels
  • Use Cases
Tags (9)
  • Tags:
  • 0-day
  • apt
  • breach
  • detection
  • exchange
  • hafnium
  • Microsoft
  • owa
  • zeroday
1 Like
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • NetWitness 11.x non-node-zero host upgrade via loc...
  • Hafnium/Microsoft Exchange Breach Detection with N...
  • NetWitness 11.x Administration Series
  • Sunburst/Solorigate round-up
  • The Hunt for Web Attacks
  • Network Cloud Visibility with AWS Traffic Mirrorin...
  • Analysing EVTX files in NetWitness through Winlogb...
  • NetWitness Retention Script: Understanding The Nu...
  • Interface Bonding - Putting it all together
  • Using RSA Logs and/or Packets to Send or Receive D...
Labels
  • Announcements 43
  • Events 2
  • Features 5
  • Resources 44
  • Tutorials 12
  • Use Cases 9
  • Videos 118
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2021 RSA Security LLC or its affiliates.
All rights reserved.