HAFNIUM - Exchange 0-day exploits
Rapid Breach Response Pack.#
This Playbook is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook includes the following tasks:
- Collect indicators to be used in your threat hunting process
- Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities
- Discover IOCs related to the attack
- Query firewall logs to detect malicious network activity
- Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0).
- Block indicators
Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
#
DependenciesThis playbook uses the following sub-playbooks and scripts.
#
Sub-playbooks- Search Endpoint by CVE - Generic
- Palo Alto Networks - Hunting And Threat Detection
- Block Indicators - Generic v2
- Search Endpoints By Hash - Generic V2
#
Scripts- SearchIncidentsV2
- Set
- http
#
Commands- enrichIndicators
- createNewIndicator
- expanse-get-issues
#
Playbook InputsName | Description | Default Value | Required |
---|---|---|---|
BlockIndicatorsAutomatically | Whether to automatically indicators involved with HAFNIUM exploits | False | Optional |
#
Playbook OutputsThere are no outputs for this playbook.