Comments (9)
dpaulson45
commented on August 26, 2024
Please refer to https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
The script is only designed to call out what the article tells you to look for IOCs, with better performance than what is provided in the article.
Based off the output, besides the zips if you expect those, it is providing that you do have indicators that you were compromised based off the http proxy logs output.
from css-exchange.
jarlva
commented on August 26, 2024
I also get tons of suspicious files. There is no way to even remotely know if those are valid or not.
MS, please patch my Exchange 2010 server.
from css-exchange.
bill-long
commented on August 26, 2024
Any zip files will be flagged as suspicious, as noted in the blog post:
Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.
It's up to the admin to determine whether those zip files are something expected due to related software being installed, or something unexpected.
The ServerInfo~ output is a sign of CVE-2021-26855, as noted in the same blog post.
from css-exchange.
zerocarbthirty
commented on August 26, 2024
Any zip files will be flagged as suspicious, as noted in the blog post:
Check for suspicious .zip, .rar, and .7z files in C:\ProgramData\, which may indicate possible data exfiltration.It's up to the admin to determine whether those zip files are something expected due to related software being installed, or something unexpected.
The ServerInfo~ output is a sign of CVE-2021-26855, as noted in the same blog post.
The zipfiles are expected. How do I figure out what exactly was done via the HTTP proxy and what exactly am I supposed to do now? I installed the patches an hour after you released them. It sounds like everybody that runs exchange on prem was impacted.
from css-exchange.
bill-long
commented on August 26, 2024
Sorry, we cannot give that kind of guidance here. This repo is for fixing bugs in the scripts. Please refer to our blogs or open a support case for help.
from css-exchange.
zerocarbthirty
commented on August 26, 2024
Without being overly critical what was the point of releasing this script?
Every Internet accessible server was exploited in the 10 days it took from
when the exploits started to when the patch was released.
It doesn't tell us anything about what was stolen or changed. It doesn't
tell us if the attack is ongoing or not. It really doesn't do anything.
…On Sat, Mar 6, 2021, 6:45 PM Bill Long ***@***.***> wrote:
Sorry, we cannot give that kind of guidance here. This repo is for fixing
bugs in the scripts. Please refer to our blogs or open a support case for
help.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#100 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD7FNQXQI2JFZ7O22EZVAXDTCK5AFANCNFSM4YW5AFZQ>
.
from css-exchange.
bill-long
commented on August 26, 2024
The point is to run the commands from the blog post. If you find no value in it, there is no need to use it.
from css-exchange.
zerocarbthirty
commented on August 26, 2024
When will the blog post get to the point where it is offering useful
information and guidance?
…On Sat, Mar 6, 2021, 7:51 PM Bill Long ***@***.***> wrote:
The point is to run the commands from the blog post. If you find no value
in it, there is no need to use it.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#100 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD7FNQVSGZFEFBDV4HM6RW3TCLEZRANCNFSM4YW5AFZQ>
.
from css-exchange.
bill-long
commented on August 26, 2024
As you seem to have no further technical questions related to this repo, I guess we can close this now.
from css-exchange.
Related Issues (20)
- [Issue] - Health Checker - Credential Guard Detection HOT 4
- VSSTester [Issue] HOT 15
- Error running script with -CreateAzurerApplication when account has MFA enabled HOT 7
- [Issue] SourceSideValidations - Cannot process argument transformation on parameter 'Identity'. Cannot convert the "DB01_16" value of type "Deserialized.Microsoft.Exchange.Data.Directory.ADObjectId" to type "Microsoft.Exchange.Configuration.Tasks.DatabaseIdParameter" HOT 1
- Show script version before update
- [Work Item] MSQM Updated Guidance
- [Work Item] New code formatter check to detect domains that have not been approved by CELA
- Health Checker - Add additional context for services that are not running
- [Issue] Update-Engines overwrites the files on 2nd run
- [Issue] Health Checker - Get-LocalGroupMember failing to execute
- [Issue] Health Checker - Get-SecurityCve-2022-21978 parameter ExchangeWellKnownSecurityGroups is null
- [Issue]ExPerfWiz adds counters incorrectly to datacollector HOT 2
- Add ability to collect REST logs in Exchange log collector HOT 2
- [Work Item] Health Checker - Add Installed Date for SU/HU/CUs when they are installed
- [Issue] - Health Checker computer group membership check HOT 5
- [Work Item] - Adjust output of Test-ExchAVExclusions
- Adding Disk Performance
- [Issue] Spelling issues in the .build folder
- Health Checker -- Include installed 3rd party applications in the report
- [Issue] - Health Checker HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from css-exchange.