Detection and Response for HAFNIUM activity

On March 2, 2021, Microsoft released a security update describing several 0-day exploits targeting on-premises Microsoft Exchange servers. Four published remote code execution vulnerabilities relate to this activity, for which Microsoft released a patch. The vulnerabilities include CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065.

In addition to verifying the information published by other members of the security community, Elastic Security identified indicators of compromise (IoCs) indicating adversary objectives to obtain credentials, maintain persistence, conduct reconnaissance, and steal data. Users with on-premises Exchange servers are advised to patch as soon as possible and be aware that threats of all kinds are actively attempting to exploit these vulnerabilities.

Elastic Security provides a technical overview of Elastic Endpoint and Elastic Endgame capabilities related to this activity in our Discuss forum. The overview describes eight existing and two new Elastic Endpoint rules, as well as six existing Elastic Endgame rules which identify threat behaviors. For Elastic Endgame users, we provide three additional EQL queries that detect portions of the attack. Based on telemetry observations, we also include five IoCs.

Please visit the Discuss forum for full details on our identified IoCs.