HiSolutions Discovers New HAFNIUM/ProxyLogon IoCs
by Daniel Jedecke, David Fuhr und Vincent Rockenfeld
During our work on a large number of forensic analyses of HAFNIUM/ProxyLogon cases, we witnessed several cases where the recommended Microsoft tools (TestProxyLogon script and Safety Scanner/MSERT) do not find anything due to missing traces in the HttpProxy log. In those cases evidence can be found in the ECP Activity log as follow:
Indicators of Compromise (IoCs):
./ECP/Activity/ECPActivity_39844_20210303-1.LOG: 2021-03-03T06:43:32.531Z ,EX01, ,S:FE=EX01.FOOBAR.LOCAL;S:URL=https://ex01.foobar.local:444 /ecp/proxyLogon.ecp (https://owa.foobar.com/ecp/y.js);S:Bld=15.1.2106.2;S:ActID=def0-b0e6-2342-5e2c-23a8ff1962a1;Dbl:WLM.TS=0
./ECP/Activity/ECPActivity_39844_20210303-1.LOG: 2021-03-03T06:43:32.963Z, EX01,Request,S:PSA= administrator@foobar.com ;S:FE=EX01.FOOBAR.LOCAL;S:URL=https://ex01.foobar.local:444 /ecp/proxyLogon.ecp (https://owa.foobar.com/ecp/y.js)
With the following (Linux/UNIX) command logs can be searched for relevant entries:
grep -ir “proxylogon“ ./ECP/Activity | sort -n
For the German version of this post, see here.