-
Notifications
You must be signed in to change notification settings - Fork 9
/
Exchange_Marauder.opml
103 lines (103 loc) · 6.22 KB
/
Exchange_Marauder.opml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
<?xml version="1.0" encoding="UTF-8"?>
<opml version="1.0">
<head>
<title>Exchange_Marauder</title>
</head>
<body>
<outline text="Exchange Marauder"><outline text="Tools"><outline text="Vulnerability Scanners"><outline text="Triage"><outline text="https://github.com/dpaulson45/HealthChecker#download"></outline>
</outline>
<outline text="Microsoft"><outline text="https://github.com/GossiTheDog/scanning/blob/main/http-vuln-exchange.nse"></outline>
<outline text="https://github.com/microsoft/CSS-Exchange/blob/main/Security/http-vuln-cve2021-26855.nse"></outline>
</outline>
</outline>
<outline text="Detection / Hunting"><outline text="Rapid7"><outline text="https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day/"></outline>
</outline>
<outline text="CrowdStrike"><outline text="https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits/"></outline>
</outline>
<outline text="FireEye"><outline text="https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html"></outline>
</outline>
<outline text="Microsoft"><outline text="365-Defender-Hunting-Queries"><outline text="https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md"></outline>
</outline>
<outline text="IOC Feed"><outline text="https://github.com/Azure/Azure-Sentinel/tree/master/Sample%20Data/Feeds"></outline>
</outline>
<outline text="https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/Test-ProxyLogon.ps1"></outline>
</outline>
<outline text="CERT-LV"><outline text="https://github.com/cert-lv/exchange_webshell_detection/blob/main/detect_webshells.ps1"></outline>
</outline>
<outline text="Neo23x0"><outline text="https://github.com/Neo23x0/signature-base/blob/master/yara/apt_hafnium.yar#L172"></outline>
</outline>
<outline text="Unit221b"><outline text="https://checkmyowa.unit221b.com/"></outline>
</outline>
<outline text="Trustedsec"><outline text="https://github.com/trustedsec/defensive-scripts"></outline>
</outline>
</outline>
<outline text="Mitigation"><outline text="Microsoft"><outline text="https://github.com/microsoft/CSS-Exchange/blob/main/Security/src/ExchangeMitigations.ps1"></outline>
<outline text="https://msrc-blog.microsoft.com/2021/03/15/one-click-microsoft-exchange-on-premises-mitigation-tool-march-2021/"></outline>
</outline>
</outline>
<outline text="Remediation"><outline text="Microsoft"><outline text="https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download"></outline>
</outline>
</outline>
</outline>
<outline text="Attribution"><outline text="Microsoft"><outline text="https://blogs.microsoft.com/on-the-issues/2021/03/02/new-nation-state-cyberattacks/"><outline text="HAFNIUM"></outline>
</outline>
</outline>
</outline>
<outline text="Implants"><outline text="ChinaChopper"><outline text="https://twitter.com/jhencinski/status/1367225483407089665"></outline>
<outline text="https://twitter.com/noottrak/status/1367276764741963780"></outline>
</outline>
</outline>
<outline text="Emulation"><outline text="Praetorian"><outline text="https://www.praetorian.com/blog/reproducing-proxylogon-exploit/"></outline>
</outline>
</outline>
<outline text="Exploits"><outline text="CVE-2021-26855"><outline text="jsdryan"><outline text="https://github.com/jsdryan/CVE-2021-26855/blob/main/CVE-2021-26855.go"></outline>
</outline>
<outline text="Rapid7"><outline text="https://github.com/rapid7/metasploit-framework/blob/f7fe97a1458df7b45562013af3a70f5bd0a8cf7b/modules/auxiliary/gather/exchange_proxylogon_collector.rb"></outline>
</outline>
</outline>
<outline text="Information Gathering"><outline text="https://github.com/sophoslabs/metasploit_gather_exchange"></outline>
</outline>
<outline text="CVE-2021-26855 & CVE-2021-27065"><outline text="https://github.com/hausec/ProxyLogon"></outline>
<outline text="https://gitlab.com/gvillegas/ohwaa/"></outline>
</outline>
</outline>
<outline text="Security Advisories"><outline text="Microsoft"><outline text="https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server/"><outline text="CVE-2021-26855
CVE-2021-26857
CVE-2021-26858
CVE-2021-27065"></outline>
</outline>
<outline text="https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/"></outline>
<outline text="https://techcommunity.microsoft.com/t5/exchange-team-blog/released-march-2021-exchange-server-security-updates/ba-p/2175901"></outline>
</outline>
<outline text="CISA"><outline text="https://us-cert.cisa.gov/ncas/alerts/aa20-352a"></outline>
</outline>
<outline text="https://proxylogon.com"><outline text="CVE-2021-26855 "></outline>
<outline text="CVE-2021-27065"></outline>
</outline>
</outline>
<outline text="Incidents"><outline text="Volexity"><outline text="https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/"></outline>
</outline>
<outline text="Microsoft"><outline text="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/"><outline text="TTP"><outline text="Command & Control"><outline text="https://github.com/cobbr/Covenant"></outline>
</outline>
<outline text="Exfiltration"><outline text="MEGA"></outline>
</outline>
<outline text="Execution"><outline text="Nishang"><outline text="https://github.com/samratashok/nishang"></outline>
</outline>
</outline>
</outline>
</outline>
</outline>
<outline text="Truesec"><outline text="https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/"></outline>
</outline>
<outline text="RedCanary"><outline text="https://redcanary.com/blog/microsoft-exchange-attacks/"></outline>
</outline>
<outline text="PaloAlto Unit42"><outline text="https://unit42.paloaltonetworks.com/china-chopper-webshell/"></outline>
</outline>
<outline text="DomainTools"><outline text="https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders"></outline>
</outline>
<outline text="ESET"><outline text="https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/"></outline>
</outline>
</outline>
</outline>
</body>
</opml>