ioc[.]one - OSINT Cyber Threat Intelligence Database

Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk

Tags

cmtmf-attack-pattern:

Command And Scripting Interpreter

attack-pattern:

Data Archive Via Utility - T1560.001 Command And Scripting Interpreter - T1623 Credentials - T1589.001 Dns - T1590.002 Email Addresses - T1589.002 Exploits - T1587.004 Exploits - T1588.005 Hidden Window - T1564.003 Ip Addresses - T1590.005 Local Email Collection - T1114.001 Lsass Memory - T1003.001 Ntds - T1003.003 Powershell - T1059.001 Remote Data Staging - T1074.002 Server - T1583.004 Server - T1584.004 Server Software Component - T1505 Smb/Windows Admin Shares - T1021.002 Web Shell - T1505.003 Web Services - T1583.006 Web Services - T1584.006 Vulnerabilities - T1588.006 Standard Application Layer Protocol - T1071 Brute Force - T1110 Command-Line Interface - T1059 Create Account - T1136 Credential Dumping - T1003 Data From Local System - T1005 Email Collection - T1114 Exploit Public-Facing Application - T1190 File And Directory Discovery - T1083 Hidden Window - T1143 Indicator Removal On Host - T1070 Network Service Scanning - T1046 Obfuscated Files Or Information - T1027 Powershell - T1086 Remote Services - T1021 Web Shell - T1100

Show in Graph

Common Information

Type	Value
UUID	b85d3d9d-3665-412a-9c51-ee961e582ede
Fingerprint	bd0985d5abb48193
Analysis status	DONE
Considered CTI value	2
Text language
Published	March 3, 2021, 7:11 a.m.
Added to db	Sept. 26, 2022, 9:33 a.m.
Last updated	Nov. 17, 2024, 6:56 p.m.
Headline	Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
Title	Detecting HAFNIUM Exchange Server Zero-Day Activity in Splunk
Detected Hints/Tags/Attributes	88/2/28

Source URLs

	Redirection	Url
Details	Source	https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html

URL Provider

Details	Provider	Source level domain
Details	splunk.com	www.splunk.com

Attributes

Details	Type	#Events	CTI	Value
Details	CVE	184		cve-2021-26855
Details	CVE	90		cve-2021-26857
Details	CVE	92		cve-2021-26858
Details	CVE	126		cve-2021-27065
Details	Domain	339		system.net
Details	File	1208		powershell.exe
Details	File	10		umworkerprocess.exe
Details	File	1		umservice.exe
Details	MITRE ATT&CK Techniques	173		T1003.001
Details	MITRE ATT&CK Techniques	460		T1059.001
Details	MITRE ATT&CK Techniques	34		T1114.001
Details	MITRE ATT&CK Techniques	86		T1136
Details	MITRE ATT&CK Techniques	67		T1003.003
Details	MITRE ATT&CK Techniques	139		T1021.002
Details	MITRE ATT&CK Techniques	534		T1005
Details	MITRE ATT&CK Techniques	627		T1027
Details	MITRE ATT&CK Techniques	168		T1046
Details	MITRE ATT&CK Techniques	695		T1059
Details	MITRE ATT&CK Techniques	247		T1070
Details	MITRE ATT&CK Techniques	444		T1071
Details	MITRE ATT&CK Techniques	20		T1074.002
Details	MITRE ATT&CK Techniques	585		T1083
Details	MITRE ATT&CK Techniques	125		T1110
Details	MITRE ATT&CK Techniques	542		T1190
Details	MITRE ATT&CK Techniques	67		T1505
Details	MITRE ATT&CK Techniques	116		T1560.001
Details	MITRE ATT&CK Techniques	22		T1589.002
Details	MITRE ATT&CK Techniques	8		T1590.002