HAFNIUM IIS Log Search Patterns

gistfile1.txt

# Quick tip to find super common artifacts of the HAFNIUM Exchange attacks with nothing more than IIS logs...
# Run this grep pattern against all logs in C:\inetpub\logs\LogFiles\W3SVC1
#
# https://twitter.com/eric_capuano

# Quick check for likely successful attacks 
## Bash (faster)
egrep -i '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log
## PowerShell
Select-String -Pattern '((POST.*\/aspnet_client\/)|(system_web\/[A-Za-z0-9]{8}\.aspx|\/ecp\/y\.js)).*2[0-9]{2}\s[0-9]+' *.log

# More thorough check for most common IOCs, higher possibility for false positives and failed attempts
## Bash
egrep -i '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log
## PowerShell
Select-String -Pattern '(python-requests|ExchangeServicesClient\/0\.0\.0\.0|system_web|172\.104\.251\.234|23\.101\.135\.86|34\.78\.227\.165|35\.187\.190\.226|82\.221\.139\.240|86\.105\.18\.116|165\.232\.154\.116|157\.230\.221\.198|104\.248\.49\.97|ecp\/y\.js|supp0rt|\/(shell|one|xx|[A-Za-z]{1})\.aspx|aspnet_client|system_web|RedirSuiteServerProxy)' *.log

Hi there,

How do i interpret the results of theses querrys the right way

ExchangeServicesClient/0.0.0.0 - 200 0 0 67

200 is Connection OK but what do those other numbers mean?