BR0KK
BR0KK
/ gist:16e52a408561e16b895c1db483c6a81b
Created
March 18, 2021 09:07
— forked from ecapuano/gist:13386852fb80beac4561f2bed569095e
HAFNIUM IIS Log Search Patterns
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs... | |
| # Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1 | |
| # | |
| # https://twitter.com/eric_capuano | |
| # Quick check for likely successful attacks | |
| ## Bash (faster) | |
| egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log | |
| ## PowerShell | |
| Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log |