Hafnium Exchange Vuln Detection - KQL

Mar 5th, 2021
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. let networkEvent = DeviceNetworkEvents
  2. | where ActionType == "InboundConnectionAccepted" and InitiatingProcessFileName =~ "System"
  3. | extend netTimestamp = Timestamp
  4. | project DeviceId, DeviceName, netTimestamp, RemoteIP, RemotePort; //Grab a table of all accepted inbound connections, projecting the Timestamp for further manipulation
  5. let shellWrite = DeviceFileEvents
  6. | where ActionType == "FileCreated" and FolderPath has "inetpub" and FileName has_any (".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml")
  7. | project DeviceName, DeviceId, Timestamp, FileName, FolderPath; //Grab a table of all created files in inetpub, with a file extension ending in ".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml". Projecting timestamp for further manipulation
  8. DeviceFileEvents
  9. | where (FileName =~ "applicationHost.config" or FileName =~ "administration.config") and FolderPath contains "inetpub" //Grab all instances of updates to the IIS applicationHost.config or administration.config
  10. | join shellWrite on DeviceName, DeviceId
  11. | join networkEvent on DeviceId, DeviceName
  12. | extend time_diff = datetime_diff('second',Timestamp,Timestamp1) //create a time differential column for shellWrite and config update
  13. | extend netTimeDiff = datetime_diff('second',Timestamp1,netTimestamp) //create a time differential column for networkEvent and the shellWrite
  14. | where (time_diff <= 60 and time_diff >= 0) and (netTimeDiff <= 10 and netTimeDiff >= 0) //differential filtering for networkEvent and shellWrite
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add to your ad blocker whitelist or disable your adblocking software.