HAFNIUM - Exchange 0-day exploits
This Playbook is part of the Rapid Breach Response Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
This playbook includes the following tasks:
- Collect indicators to be used in your threat hunting process
- Retrieve IOCs related to HAFNIUM and the exploited exchange 0-day vulnerabilities
- Discover IOCs related to the attack
- Query firewall logs to detect malicious network activity
- Search endpoint logs for malicious hashes to detect compromised hosts (Available from Cortex XSOAR 5.5.0).
- Block indicators
Read more about the attack on our Unit42 blog: https://unit42.paloaltonetworks.com/microsoft-exchange-server-vulnerabilities/ Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
Dependencies#
This playbook uses the following sub-playbooks and scripts.
Sub-playbooks#
- Search Endpoint by CVE - Generic
- Palo Alto Networks - Hunting And Threat Detection
- Block Indicators - Generic v2
- Search Endpoints By Hash - Generic V2
Scripts#
- SearchIncidentsV2
- Set
- http
Commands#
- enrichIndicators
- createNewIndicator
- expanse-get-issues
Playbook Inputs#
| Name | Description | Default Value | Required |
|---|---|---|---|
| BlockIndicatorsAutomatically | Whether to automatically indicators involved with HAFNIUM exploits | False | Optional |
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
