HAFNIUM Queries

2021-03-02 13:09:15 -08:00 · 2021-03-02 13:09:15 -08:00 · fe18733f55
--- a/.script/tests/KqlvalidationsTests/CustomTables/http_proxy_oab_CL.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/http_proxy_oab_CL.json
@ -0,0 +1,61 @@
+{
+  "Name": "http_proxy_oab_CL",
+  "Properties": [
+    {
+      "Name": "TenantId", 
+      "Type": "String"
+    },
+    {
+      "Name": "SourceSystem",
+      "Type": "String"
+    },
+    {
+      "Name": "MG",
+      "Type": "String"
+    },
+    {
+      "Name": "ManagementGroupName", 
+      "Type": "String"
+    },
+    {
+      "Name": "TimeGenerated", 
+      "Type": "DateTime"
+    },
+    {
+      "Name": "Computer", 
+      "Type": "String"
+    },
+    {
+      "Name": "RawData", 
+      "Type": "String"
+    },
+    {
+      "Name": "_Fields_Timestamp_t", 
+      "Type": "DateTime"
+    },
+    {
+      "Name": "RecordType_s", 
+      "Type": "String"
+    },
+    {
+      "Name": "ContextId_g", 
+      "Type": "String"
+    },
+    {
+      "Name": "OabGuid_g", 
+      "Type": "String"
+    },
+    {
+      "Name": "Message", 
+      "Type": "String"
+    },
+    {
+      "Name": "Type", 
+      "Type": "String"
+    },
+    {
+      "Name": "_ResourceId", 
+      "Type": "String"
+    }
+  ]
+}
--- a/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yml
+++ b/Detections/MultipleDataSources/HAFNIUMUmServiceSuspiciousFile.yml
@ -0,0 +1,55 @@
+id: 7d6d8a8e-b08a-4082-8dbb-d7fd2cbbc35e
+name: HAFNIUM UM Service writing suspicious file.
+description: |
+  'This query looks for the Exchange server UM process writing suspicious files that may be indicative of webshells.
+  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
+severity: High
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+  - connectorId: MicrosoftThreatProtection
+    dataTypes:
+      - DeviceFileEvents
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
+  union isfuzzy=true
+  (SecurityEvent
+  | where EventID == 4663
+  | where Process has_any ("umworkerprocess.exe", "UMService.exe")
+  | where ObjectName has_any (scriptExtensions)
+  | where AccessMask in ('0x2','0x100', '0x10', '0x4')),
+  (DeviceFileEvents
+  | where ActionType =~ "FileCreated"
+  | where InitiatingProcessFileName has_any ("umworkerprocess.exe", "UMService.exe")
+  | where FileName has_any(scriptExtensions))
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: InitiatingProcessAccountUpn
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: DeviceName
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yml
+++ b/Detections/SecurityEvent/HAFNIUMNewUMServiceChildProcess.yml
@ -0,0 +1,44 @@
+id: 95a15f39-d9cc-4667-8cdd-58f3113691c9
+name: HAFNIUM New UM Service Child Process
+description: |
+  'This query looks for new processes being spawned by the Exchange UM service where that process has not previously been observed before. 
+  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: SecurityEvent
+    dataTypes:
+      - SecurityEvent
+queryFrequency: 1d
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  let lookback = 14d;
+  let timeframe = 1d;
+  SecurityEvent
+  | where TimeGenerated > ago(lookback) and TimeGenerated < ago(timeframe)
+  | where EventID == 4688
+  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
+  | join kind=rightanti (
+  SecurityEvent
+  | where TimeGenerated > ago(timeframe)
+  | where ParentProcessName has_any ("umworkerprocess.exe", "UMService.exe")
+  | where EventID == 4688) on NewProcessName
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Detections/SecurityEvent/HAFNIUMSuspiciousUMServiceError.yml
+++ b/Detections/SecurityEvent/HAFNIUMSuspiciousUMServiceError.yml
@ -0,0 +1,28 @@
+id: 0625fcce-6d52-491e-8c68-1d9b801d25b9
+name: HAFNIUM Suspicious UM Service Error.
+description: |
+  'This query looks for errors that may indicate that an attacker is attempting to exploit a vulnerability in the service. 
+  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
+severity: Low
+requiredDataConnectors: []
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  Event
+  | where EventLog =~ "Application"
+  | where Source startswith "MSExchange"
+  | where EventLevelName =~ "error"
+  | where (RenderedDescription startswith "Watson report" and RenderedDescription contains "umworkerprocess" and RenderedDescription contains "TextFormattingRunProperties") or RenderedDescription startswith "An unhandled exception occurred in a UM worker process" or RenderedDescription startswith "The Microsoft Exchange Unified Messaging service"
+  | where RenderedDescription !contains "System.OutOfMemoryException"
+  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yml
+++ b/Detections/W3CIISLog/HAFNIUMSuspiciousRequestPattern.yml
@ -0,0 +1,44 @@
+id: 23005e87-2d3a-482b-b03d-edbebd1ae151
+name: HAFNIUM Suspicious Exchange Request
+description: |
+  'This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by HAFNIUM actors.
+  The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers.
+  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AzureMonitor(IIS)
+    dataTypes:
+      - W3CIISLog
+queryFrequency: 1d
+queryPeriod: 14d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  let exchange_servers = (
+  W3CIISLog
+  | where TimeGenerated > ago(14d)
+  | where sSiteName =~ "Exchange Back End"
+  | summarize by Computer);
+  W3CIISLog
+  | where TimeGenerated > ago(1d)
+  | where Computer in (exchange_servers)
+  | where csUriQuery startswith "t="
+  | project-reorder TimeGenerated, Computer, csUriStem, csUriQuery, csUserName, csUserAgent, cIP
+  | extend timestamp = TimeGenerated, AccountCustomEntity = csUserName, HostCustomEntity = Computer, IPCustomEntity = cIP
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yml
+++ b/Detections/htttp_proxy_oab_CL/HAFNIUMSuspiciousFileDownloads.yml
@ -0,0 +1,30 @@
+id: 03e04c97-8cae-48b3-9d2f-4ab262e4ffff
+name: HAFNIUM Suspicious File Downloads.
+description: |
+  'This query looks for messages related to file downloads of suspicious file types. This query uses the Exchange HttpProxy AOBGeneratorLog, you will need to onboard this log as a custom log under the table http_proxy_oab_CL before using this query. 
+  Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/'
+severity: Medium
+requiredDataConnectors: []
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1190
+query: |
+  let scriptExtensions = dynamic([".php", ".jsp", ".js", ".aspx", ".asmx", ".asax", ".cfm", ".shtml"]);
+  http_proxy_oab_CL
+  | where Message contains "Download failed and temporary file"
+  | extend File = extract("([^\\\\]*)(\\\\[^']*)",2,Message)
+  | extend Extension = strcat(".",split(file, ".")[-1])
+  | extend InteractiveFile = iif(ext in (scriptExtensions), "Yes", "No")
+  // Uncomment the following line to alert only on interactive file download type
+  //| where InteractiveFile =~ "Yes"
+  | extend timestamp = TimeGenerated, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Queries/SecurityEvent/ExchangePowerShellSnapin.yaml
+++ b/Queries/SecurityEvent/ExchangePowerShellSnapin.yaml
@ -0,0 +1,29 @@
+id: 8afd1086-fc9a-4d26-b3ff-5c794c79a59a
+name: Exchange PowerShell Snapin Added
+description: |
+  'The Exchange Powershell Snapin was loaded on a host, this allows for a Exchange server management via PowerShell. Whilst this is a legitimate administrative tool it is abused by attackers to performs actions on a compromised Exchange server. Hunt for unusual activity related to this Snapin including it being added on new hosts or by new accounts.'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Collection
+relevantTechniques:
+  - T1119
+query: |
+  SecurityEvent
+  | where EventID == 4688
+  | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
+  | where isnotempty(CommandLine)
+  | where CommandLine contains "Add-PSSnapin Microsoft.Exchange.Powershell.Snapin"
+  | summarize FirstSeen = min(TimeGenerated), LastSeen = max(TimeGenerated) by Computer, Account, CommandLine 
+  | extend timestamp = FirstSeen, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
--- a/Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml
+++ b/Queries/SecurityEvent/Invoke-PowerShellTcpOneLine.yaml
@ -0,0 +1,31 @@
+id: a344e28e-095d-47fb-84a8-d06edd31d2cb
+name: Invoke-PowerShellTcpOneLine Usage.
+description: |
+  'Invoke-PowerShellTcpOneLine is a PowerShell script to create a simple and small reverse shell. It can be abused by attackers to exfiltrate data. This query looks for command line activity similar to Invoke-PowerShellTcpOneLine.'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1011
+query: |
+  SecurityEvent
+  | where EventID == 4688
+  | where Process has_any ("powershell.exe", "PowerShell_ISE.exe", "cmd.exe")
+  | where CommandLine has "$client = New-Object System.Net.Sockets.TCPClient"
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer, IPCustomEntity = IpAddress
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
--- a/Queries/SecurityEvent/PowerCatDownload.yaml
+++ b/Queries/SecurityEvent/PowerCatDownload.yaml
@ -0,0 +1,27 @@
+id: 58fe8fc8-54fa-48cd-bac3-197f8d862429
+name: Powercat Download
+description: |
+  'Powercat is a PowerShell implementation of netcat. Whilst it can be used as a legitimate administrative tool it can be abused by attackers to exfiltrate data. This query looks for command line activity downloading PowerCat.'
+requiredDataConnectors:
+  - connectorId: SecurityEvents
+    dataTypes:
+      - SecurityEvent
+tactics:
+  - Exfiltration
+relevantTechniques:
+  - T1011
+query: |
+  SecurityEvent
+  | where EventID == 4688
+  | where Process has_any ("cmd.exe", "powershell.exe", "PowerShell_ISE.exe")
+  | where CommandLine has "https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1"
+  | extend timestamp = TimeGenerated, AccountCustomEntity = Account, HostCustomEntity = Computer
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: AccountCustomEntity
+  - entityType: Host
+    fieldMappings:
+      - identifier: FullName
+        columnName: HostCustomEntity