HAFNIUM
Associated Group Descriptions |
|
Name | Description |
---|---|
Silk Typhoon | (Citation: Microsoft Threat Actor Naming July 2023) |
Operation Exchange Marauder | (Citation: Volexity Exchange Marauder March 2021) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
HAFNIUM has operated from leased virtual private servers (VPS) in the United States.(Citation: Microsoft HAFNIUM March 2020) |
.006 | Acquire Infrastructure: Web Services |
HAFNIUM has acquired web services for use in C2 and exfiltration.(Citation: Microsoft HAFNIUM March 2020) |
||
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
HAFNIUM has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
HAFNIUM has used the Exchange Power Shell module |
.003 | Command and Scripting Interpreter: Windows Command Shell |
HAFNIUM has used `cmd.exe` to execute commands on the victim's machine.(Citation: Rapid7 HAFNIUM Mar 2021) |
||
Enterprise | T1136 | .002 | Create Account: Domain Account |
HAFNIUM has created domain accounts.(Citation: Volexity Exchange Marauder March 2021) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
HAFNIUM has used ASCII encoding for C2 traffic.(Citation: Microsoft HAFNIUM March 2020) |
Enterprise | T1114 | .002 | Email Collection: Remote Email Collection |
HAFNIUM has used web shells to export mailbox data.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021) |
Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
HAFNIUM has exfiltrated data to file sharing sites, including MEGA.(Citation: Microsoft HAFNIUM March 2020) |
Enterprise | T1592 | .004 | Gather Victim Host Information: Client Configurations |
HAFNIUM has interacted with Office 365 tenants to gather details regarding target's environments.(Citation: Microsoft HAFNIUM March 2020) |
Enterprise | T1589 | .002 | Gather Victim Identity Information: Email Addresses |
HAFNIUM has collected e-mail addresses for users they intended to target.(Citation: Volexity Exchange Marauder March 2021) |
Enterprise | T1590 | .005 | Gather Victim Network Information: IP Addresses |
HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.(Citation: Volexity Exchange Marauder March 2021) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
HAFNIUM has hidden files on a compromised host.(Citation: Rapid7 HAFNIUM Mar 2021) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
HAFNIUM has used |
.003 | OS Credential Dumping: NTDS |
HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).(Citation: Volexity Exchange Marauder March 2021) |
||
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP, SPORTSBALL, China Chopper, and ASPXSpy.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)(Citation: FireEye Exchange Zero Days March 2021)(Citation: Tarrask scheduled task)(Citation: Rapid7 HAFNIUM Mar 2021) |
Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
HAFNIUM has used |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
HAFNIUM has checked for network connectivity from a compromised host using `ping`, including attempts to contact `google[.]com`.(Citation: Rapid7 HAFNIUM Mar 2021) |
Enterprise | T1078 | .003 | Valid Accounts: Local Accounts |
HAFNIUM has used the NT AUTHORITY\SYSTEM account to create files on Exchange servers.(Citation: FireEye Exchange Zero Days March 2021) |
References
- MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
- Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
- Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- Bromiley, M. et al. (2021, March 4). Detection and Response to Exploitation of Microsoft Exchange Zero-Day Vulnerabilities. Retrieved March 9, 2021.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.