Analytics Story: HAFNIUM Group

Updated Date: 2026-05-13 ID: beae2ab0-7c3f-11eb-8b63-acde48001122 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

HAFNIUM group was identified by Microsoft as exploiting 4 Microsoft Exchange CVEs in the wild - CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.

Why it matters

On Tuesday, March 2, 2021, Microsoft released a set of security patches for its mail server, Microsoft Exchange. These patches respond to a group of vulnerabilities known to impact Exchange 2013, 2016, and 2019. It is important to note that an Exchange 2010 security update has also been issued, though the CVEs do not reference that version as being vulnerable. While the CVEs do not shed much light on the specifics of the vulnerabilities or exploits, the first vulnerability (CVE-2021-26855) has a remote network attack vector that allows the attacker, a group Microsoft named HAFNIUM, to authenticate as the Exchange server. Three additional vulnerabilities (CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) were also identified as part of this activity. When chained together along with CVE-2021-26855 for initial access, the attacker would have complete control over the Exchange server. This includes the ability to run code as SYSTEM and write to any path on the server. The following Splunk detections assist with identifying the HAFNIUM groups tradecraft and methodology.

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Web or Application Server Spawning a Shell	External Remote Services, Exploit Public-Facing Application	TTP
Dump LSASS via procdump	LSASS Memory	TTP
Detect Exchange Web Shell	External Remote Services, Exploit Public-Facing Application, Web Shell	TTP
Detect Renamed PSExec	Service Execution	Hunting
Windows PUA Named Pipe	SMB/Windows Admin Shares, Process Injection, Inter-Process Communication	Anomaly
Detect PsExec With accepteula Flag	SMB/Windows Admin Shares	TTP
Malicious PowerShell Process - Execution Policy Bypass	PowerShell	Anomaly
Dump LSASS via comsvcs DLL	LSASS Memory	TTP
Detect New Local Admin account	Local Account	TTP
Email servers sending high volume traffic to hosts	Remote Email Collection	Anomaly
Windows File Download Via PowerShell	PowerShell, Ingress Tool Transfer	Anomaly
PowerShell - Connect To Internet With Hidden Window	PowerShell	Hunting
Windows Suspicious Child Process Spawned From WebServer	Web Shell	Anomaly
Set Default PowerShell Execution Policy To Unrestricted or Bypass	PowerShell	TTP
Ntdsutil Export NTDS	NTDS	TTP
Nishang PowershellTCPOneLine	PowerShell	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
Sysmon for Linux EventID 1	Linux	`sysmon:linux`	`Syslog:Linux-Sysmon/Operational`
Sysmon EventID 1	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4688	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
CrowdStrike ProcessRollup2	Other	`crowdstrike:events:sensor`	`crowdstrike`
Sysmon EventID 11	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4720	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Windows Event Log Security 4732	Windows	`XmlWinEventLog`	`XmlWinEventLog:Security`
Cisco Network Visibility Module Flow Data	Network	`cisco:nvm:flowdata`	`not_applicable`
Sysmon EventID 13	Windows	`XmlWinEventLog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`

References

Source: GitHub | Version: 2