Skip to main content

HAFNIUM - Exchange 0-day exploits

This Playbook is part of the Rapid Breach Response Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

This playbook includes the following tasks:

  • Collect indicators to be used in your threat hunting process
  • Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities
  • Discover IOCs related to the attack
  • Query firewall logs to detect malicious network activity
  • Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0).
  • Block indicators

Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.

Dependencies#

This playbook uses the following sub-playbooks and scripts.

Sub-playbooks#

  • Search Endpoint by CVE - Generic
  • Palo Alto Networks - Hunting And Threat Detection
  • Block Indicators - Generic v2
  • Search Endpoints By Hash - Generic V2

Scripts#

  • SearchIncidentsV2
  • Set
  • http

Commands#

  • enrichIndicators
  • createNewIndicator
  • expanse-get-issues

Playbook Inputs#


NameDescriptionDefault ValueRequired
BlockIndicatorsAutomaticallyWhether to automatically indicators involved with HAFNIUM exploitsFalseOptional

Playbook Outputs#


There are no outputs for this playbook.

Playbook Image#


HAFNIUM - Exchange 0-day exploits