question

gman-4008 avatar image
0 Votes"
gman-4008 asked joyceshen-MSFT commented

hafnium question

when running the hafnium powershell script on our exchange 2013 server, the only thing returned was two entries in autodiscover.

each ended with: the email address cannot be found.

2021-03-03T11:32:23.754Z,ab20f7df-07ff-4abf-bc47-ce9e31fea8bd,15,0,1395,0,,Negotiate,true,NT AUTHORITY\SYSTEM,,ExchangeServicesClient/0.0.0.0,86.105.18.116,JFIEX2013P,MYEXCHANGE.MYDOMAIN.COM,POX,200,500,0,0,1,,,,,GlobalThrottlingPolicy_f9fb2403-54c7-412d-b51b-7f13cdaa45cb,,,1,3,0,3,2,,10,ADSessionSettingsFromAddress=0;ADRecipientSessionFindBySid=0;Caller=null;ResolveMethod=Unknown;RequestedRecipient=null;RequestedUser=administrator@Mydomain.com;S:ServiceCommonMetadata.RequestSize=347;S:WLM.Bal=300000;S:WLM.BT=Ews;S:BudgetMetadata.MaxConn=27;S:BudgetMetadata.MaxBurst=300000;S:BudgetMetadata.BeginBalance=300000;S:BudgetMetadata.Cutoff=3000000;S:BudgetMetadata.RechargeRate=900000;S:BudgetMetadata.IsServiceAct=False;S:BudgetMetadata.LiveTime=00:00:00;S:BudgetMetadata.EndBalance=300000;Dbl:WLM.TS=10;I32:ADS.C[ad-2]=2;F:ADS.AL[ad-2]=2.5936;I32:ATE.C[dc1.mydomain.com]=1;F:ATE.AL[dc1.mydomain.com]=0;I32:ADS.C[dc1]=1;F:ADS.AL[dc1]=2.3683,,message=The email address can't be found.;

is this false positve, indication of scan or what? all other tests showed no issue.

office-exchange-server-administrationoffice-exchange-hybrid-itprooffice-exchange-server-itpro
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello,

ive got similar results, three entries in "autodiscover" with the ip-adress "86.105.18.116", our domain-admin-user and the ending "the email adress could not be found".
No suspicious files in the mentioned folders, the Test-ProxyLogon Script shows the exact three results as the first script, our antivirus detects nothing.
So is this a "try to come in but no success"-situation?

The security patch was installed last thursday our our 2013 cu23 exchange, we are now deliberating if there are other measures we should take or if we were lucky that nothing really bad happened.

Thanks for answer in advance!

0 Votes 0 ·

Hi @gman-4008

Any update here?

0 Votes 0 ·
joyceshen-MSFT avatar image
0 Votes"
joyceshen-MSFT answered

Hi @gman-4008

Please also check if you see any other suspicious activity like ECP/OWA/OAB or evidence of the other CVE's being hit then collect the following data from the impacted server(s):
C:\inetpub\wwwroot\aspnet_client\ *.aspx
C:\inetpub\wwwroot\aspnet_client\system_web\
%ExchangeInstallPath%\FrontEnd\HttpProxy\OWA\Auth\
The log output from the Test-ProxyLogon Script

Detailed information refer to this Scan Exchange log files for indicators of compromise

Make sure you have upgraded your Exchange server to the latest CU version and have installed the security patch, this method is the only complete mitigation and has no impact to functionality.


If an Answer is helpful, please click "Accept Answer" and upvote it.

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
 

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered joyceshen-MSFT commented
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,

scanned the whole server, no potential threat detected.
Any other advice or or measures you would recommend?

Thanks in advance.

0 Votes 0 ·

Hi,

It should be ok if you have patched the security update

0 Votes 0 ·