question

MattPollock-7884 avatar image
0 Votes"
MattPollock-7884 asked ·

HAFNIUM question

Hi,

as per the advice give in the article:

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

I have run the powershell command to identify any logfile entries on each of my exchange servers.

A couple of hits have been returned, but I cannot find the entries in the corresponding autodiscover log files on any servers.

Eg.

DateTime AnchorMailbox


2021-03-03T07:10:58.123Z ServerInfo~a]@servername.domain.local:444/autodiscover/autodiscover.xml?#

I've looked at the logs for the corresponding timeframe in the following locations, on all servers:

%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\Autodiscover
%PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy\Autodiscover

Am I looking in the wrong place for these log files?

Thanks

office-exchange-online-itprooffice-exchange-server-itpro
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndyDavid avatar image
0 Votes"
AndyDavid answered ·

If you aren't finding anything in the scans, its a pretty good indicator that you arent compromised. The MSERT tools looks for known malware and exploits from all those exploits - not a particular one.

Make sure you are patched and have an existing anti-malware product running on the Exchange Servers for the future.


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Andy, I very much appreciate your input.

All the servers were updated to 2019 CU8 last month, and the security patch applied on 03/03.

I've just run the Test-ProxyLogon.ps1 script and the nothing other than the ECP log entries has been found.

I'd agree that there's no evidence to suggest compromise as it stands.

2 Votes 2 ·
AndyDavid avatar image AndyDavid MattPollock-7884 ·

Cool. Always nice when nothing bad is found :)

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered ·

2021-03-03T07:10:58.123Z ServerInfo~a]@servername.domain.local:444/autodiscover/autodiscover.xml?#

These would be in the IIS logs

I would also scan your system

https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Microsoft Support Emergency Response Tool (MSERT) to scan Microsoft Exchange Server




· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Andy,

thanks for reply.

I'm not sure I follow the comment regarding IIS logs - the PS command I was referring to points to "$env:PROGRAMFILES\Microsoft\Exchange Server\V15\Logging\HttpProxy" as the log file location?

75953-image.png


0 Votes 0 ·
image.png (58.0 KiB)
AndyDavid avatar image AndyDavid MattPollock-7884 ·

Hi, Sorry, I guess what I was asking is if you see those entries in the IIS logs for that time period if you arent finding them in the proxy logs

0 Votes 0 ·
YukiSun-MSFT avatar image
0 Votes"
YukiSun-MSFT answered ·

Hi @MattPollock-7884,

Aside from the HttpProxy\Autodiscover folder, you can also look at the other subfolders under %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\HttpProxy for the entries.

I've just seen the thread below which mentioned that similar entries are found in the HttpProxy ECP logfiles:
HAFNIUM Attack

Furthermore, as mentioned by Kael in the thread above, if the logs only show references to autodiscover.xml and you didn't see any other suspicious activity like ECP/OWA/OAB or evidence of the other CVE's being hit, it's recommended to prioritize applying the security updates to your Exchange Servers and keep monitoring.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


· 2 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.



Thanks for the replies.

I have found the log file entries - all in the HttpProxy ECP directory.

All of the output references /ecp/y.js as the protocol action - example below:

2021-03-03T15:34:40.014Z,ba205e01-7bd4-4c7d-90c1-
d7deaf361a2d,15,2,792,3,,Ecp,195.x.x.x,/ecp/y.js,,FBA,false,,,ServerInfo~a]@SERVER01.ourdomain.localnet:444/autodiscover/autodiscover.xml?

I have run the MSERT tool on all servers and found no suspicious files.

Which specific CVE does this refer to please, and is there any further action required do you think?






0 Votes 0 ·

Hi @MattPollock-7884,

From the output of the Test-ProxyLogon.ps1 script, the entries referencing to autodiscover.xml only indicate that CVE-2021-26855 was successfully exploited. The activity that created hits in the script for /autodiscover/autodiscover.xml can be interpreted as scanning to determine if the target is vulnerable.

As there are no indicators that the other CVEs (CVE-2021-26857, CVE-2021-26858, CVE-2021-27065) have been exploited and you have already run the MSERT tool and found no suspicious files, agree with Andy that you only need to ensure that the security patches are installed and follow other security recommendations like having your antivirus fully updated and deploying monitoring solutions like Microsoft Defender.

1 Vote 1 ·