This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 44%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hi,
as per the advice give in the article:
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
I have run the powershell command to identify any logfile entries on each of my exchange servers.
A couple of hits have been returned, but I cannot find the entries in the corresponding autodiscover log files on any servers.
Eg.
DateTime AnchorMailbox
2021-03-03T07:10:58.123Z ServerInfo~a]@servername.domain.local:444/autodiscover/autodiscover.xml?#
I've looked at the logs for the corresponding timeframe in the following locations, on all servers:
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\Autodiscover
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy\Autodiscover
Am I looking in the wrong place for these log files?
Thanks
If you aren't finding anything in the scans, its a pretty good indicator that you arent compromised. The MSERT tools looks for known malware and exploits from all those exploits - not a particular one.
Make sure you are patched and have an existing anti-malware product running on the Exchange Servers for the future.
Thanks Andy, I very much appreciate your input.
All the servers were updated to 2019 CU8 last month, and the security patch applied on 03/03.
I've just run the Test-ProxyLogon.ps1 script and the nothing other than the ECP log entries has been found.
I'd agree that there's no evidence to suggest compromise as it stands.
Cool. Always nice when nothing bad is found :)
2021-03-03T07:10:58.123Z ServerInfo~a]@servername.domain.local:444/autodiscover/autodiscover.xml?#
These would be in the IIS logs
I would also scan your system
Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server
Hi Andy,
thanks for reply.
I'm not sure I follow the comment regarding IIS logs - the PS command I was referring to points to "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" as the log file location?
Hi, Sorry, I guess what I was asking is if you see those entries in the IIS logs for that time period if you arent finding them in the proxy logs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYS%3C/text%3E%3C/svg%3E)
Hi @Matt Pollock ,
Aside from the HttpProxy\Autodiscover folder, you can also look at the other subfolders under %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy for the entries.
I've just seen the thread below which mentioned that similar entries are found in the HttpProxy ECP logfiles:
HAFNIUM Attack
Furthermore, as mentioned by Kael in the thread above, if the logs only show references to autodiscover.xml and you didn't see any other suspicious activity like ECP/OWA/OAB or evidence of the other CVE's being hit, it's recommended to prioritize applying the security updates to your Exchange Servers and keep monitoring.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks for the replies.
I have found the log file entries - all in the HttpProxy ECP directory.
All of the output references /ecp/y.js as the protocol action - example below:
2021-03-03T15:34:40.014Z,ba205e01-7bd4-4c7d-90c1-
d7deaf361a2d,15,2,792,3,,Ecp,195.x.x.x,/ecp/y.js,,FBA,false,,,ServerInfo~a]@SERVER01.ourdomain.localnet:444/autodiscover/autodiscover.xml?
I have run the MSERT tool on all servers and found no suspicious files.
Which specific CVE does this refer to please, and is there any further action required do you think?
Hi @Matt Pollock ,
From the output of the Test-ProxyLogon.ps1 script, the entries referencing to autodiscover.xml only indicate that CVE-2021-26855 was successfully exploited. The activity that created hits in the script for /autodiscover/autodiscover.xml can be interpreted as scanning to determine if the target is vulnerable.
As there are no indicators that the other CVEs (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) have been exploited and you have already run the MSERT tool and found no suspicious files, agree with Andy that you only need to ensure that the security patches are installed and follow other security recommendations like having your antivirus fully updated and deploying monitoring solutions like Microsoft Defender.