- #SPLUNK SEARCH FOR WINDOWS EVENT ID HOW TO#
- #SPLUNK SEARCH FOR WINDOWS EVENT ID UPDATE#
- #SPLUNK SEARCH FOR WINDOWS EVENT ID CODE#
Next, add something like this to your nf file so that you can ingest all of the exciting logs in the C:\inetpub\logs\LogFiles directory in W3C format. Our recipe for success is to use the Splunk Universal Forwarder and add in a little bit of the Splunk-supported Technical Add-On for Microsoft IIS. Wait just a moment! Splunk is super good at ingesting logs from all sources and looking for patterns in them! All we need to do is ensure that logs are being ingested from our OWA servers appropriately. It just so happens that elements of this attack can be detected by looking for the appropriate POST requests in IIS logs. Underlying OWA is Microsoft’s venerable web server, Internet Information Services (IIS). Some of these vulnerabilities are being exploited via Outlook Web Services (OWA), a commonly enabled feature of Exchange Server 2013, 2016, and 2019. For more color, stealing the AD database implies that the adversary will have domain administrator privilege, so this is important to investigate. I don’t know about you, but whenever I see an adversary stealing copies of my Active Directory (AD) database, that sends chills down my spine because, at that point, I am rebuilding my entire AD from scratch as part of my remediation effort.
#SPLUNK SEARCH FOR WINDOWS EVENT ID CODE#
You may be thinking, “another Tuesday filled with patches, just like any other month.” That may be true to some extent, but it is essential to point out based on Volexity’s blog that: “In all cases of RCE (remote code execution), Volexity has observed the attacker writing web shells (ASPX files) to disk and conducting further operations to dump credentials, add user accounts, steal copies of the Active Directory database (NTDS.DIT), and move laterally to other systems and environments.”
This does not, however, prevent an internal attacker from exploiting the vulnerability. This includes the ability to run code as SYSTEM and write to any path on the server.Ī temporary mitigation for these vulnerabilities from external threats is restricting access to OWA, such as placing the OWA server behind a VPN to prevent external access. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. Three additional vulnerabilities ( CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability ( CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server.
#SPLUNK SEARCH FOR WINDOWS EVENT ID UPDATE#
It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. Introduction to HAFNIUM and the Exchange Zero-Day Activity
#SPLUNK SEARCH FOR WINDOWS EVENT ID HOW TO#
Otherwise, read on for a quick breakdown of what happened, how to detect it, and MITRE ATT&CK mappings. If you want just to see how to find HAFNIUM Exchange Zero-Day Activity, skip down to the “detections” sections.