YARA rules for CVE-2021-27065
4 rules · scoped to cve · back to CVE-2021-27065
YARA rules whose family, name, or description matches this cve or its tooling. Use these for binary-pattern hunts.
rule EXPL_LOG_CVE_2021_27065_Exchange_Forensic_Artefacts_Mar21_1 : LOG {
meta:
description = "Detects forensic artefacts found in HAFNIUM intrusions exploiting CVE-2021-27065"
author = "Florian Roth (Nextron Systems)"
reference = "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"
date = "2021-03-02"
id = "dcc1f741-cab0-5a0b-a261-a6bd05989723"
strings:
$s1 = "S:CMD=Set-OabVirtualDirectory.ExternalUrl='" ascii wide fullword
condition:
1 of them
}
rule WEBSHELL_CVE_2021_27065_Webshells {
meta:
description = "Detects web shells dropped by CVE-2021-27065. All actors, not specific to HAFNIUM. TLP:WHITE"
author = "Joe Hannon, Microsoft Threat Intelligence Center (MSTIC)"
date = "2021-03-05"
reference = "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"
id = "27677f35-24a3-59cc-a3ad-b83884128da7"
strings:
$script1 = "script language" ascii wide nocase
$script2 = "page language" ascii wide nocase
$script3 = "runat=\"server\"" ascii wide nocase
$script4 = "/script" ascii wide nocase
$externalurl = "externalurl" ascii wide nocase
$internalurl = "internalurl" ascii wide nocase
$internalauthenticationmethods = "internalauthenticationmethods" ascii wide nocase
$extendedprotectiontokenchecking = "extendedprotectiontokenchecking" ascii wide nocase
condition:
filesize < 50KB and any of ($script*) and ($externalurl or $internalurl) and $internalauthenticationmethods and $extendedprotectiontokenchecking
}
rule WEBSHELL_HAFNIUM_CISA_10328929_01 : trojan webshell exploit CVE_2021_27065 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-03-17"
description = "Detects CVE-2021-27065 Webshellz"
hash = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a"
id = "81916396-8aaa-5045-b31c-4bcce8d295a5"
strings:
$s0 = { 65 76 61 6C 28 52 65 71 75 65 73 74 5B 22 [1-32] 5D 2C 22 75 6E 73 61 66 65 22 29 }
$s1 = { 65 76 61 6C 28 }
$s2 = { 28 52 65 71 75 65 73 74 2E 49 74 65 6D 5B [1-36] 5D 29 29 2C 22 75 6E 73 61 66 65 22 29 }
$s3 = { 49 4F 2E 53 74 72 65 61 6D 57 72 69 74 65 72 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
$s4 = { 57 72 69 74 65 28 52 65 71 75 65 73 74 2E 46 6F 72 6D 5B [1-24] 5D }
condition:
$s0 or ($s1 and $s2) or ($s3 and $s4)
}
rule WEBSHELL_HAFNIUM_CISA_10328929_02 : trojan webshell exploit CVE_2021_27065 {
meta:
author = "CISA Code & Media Analysis"
date = "2021-03-17"
description = "Detects CVE-2021-27065 Exchange OAB VD MOD"
hash = "c8a7b5ffcf23c7a334bb093dda19635ec06ca81f6196325bb2d811716c90f3c5"
reference = "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-084a"
id = "34a89a6e-fa8a-5c64-a325-30202e20b30f"
strings:
$s0 = { 4F 66 66 6C 69 6E 65 41 64 64 72 65 73 73 42 6F 6F 6B 73 }
$s1 = { 3A 20 68 74 74 70 3A 2F 2F [1] 2F }
$s2 = { 45 78 74 65 72 6E 61 6C 55 72 6C 20 20 20 20 }
condition:
$s0 and $s1 and $s2
}