HAFNIUM Exchange Zero-Day Scanning

The Microsoft Exchange Zero-day exploit drop this week is a big one for 2021. The actions everyone needs to take when these exploits are being used in the wild is:

1. Take inventory

  • Do you host an on-prem exchange server?
  • Is the exchange server vulnerable? Most likely unless you applied the latest out-of-band patches released on 2 March 2021.

2. Apply Patches

  • Make sure those patches are applied as active exploitation is bound to find you soon if it hasn’t already.

3. Scan your exchange server for malicious webshells

4. Monitor for evil activity on your exchange servers or endpoints

  • If you have endpoint monitoring, look for suspicious powershell activity on that exchange server, powershell being launched from your web server applications, procdump.exe against LSASS, etc.
  • This post-exploit activity is important to look for. One of our customers was exploited by this attacker but due to having powershell disabled on the server by policy, the malicious webshell was there but no follow-on post exploit activity was observed to be successful.

Get to patching and then get to hunting!

Infocyte Team

The post HAFNIUM Exchange Zero-Day Scanning appeared first on Infocyte.

*** This is a Security Bloggers Network syndicated blog from Blog – Infocyte authored by Chris Gerritz. Read the original post at:

Avatar photo

Chris Gerritz

Chris is a retired Air Force cybersecurity officer and veteran who pioneered defensive cyber threat hunting operations for the U.S. Air Force — standing up their first interactive Defensive Counter Cyberspace (DCC) practice.

chris-gerritz has 12 posts and counting.See all posts by chris-gerritz