Silk Typhoon Suspicious Exchange Request

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

This query looks for suspicious request patterns to Exchange servers that fit a pattern observed by Silk Typhoon actors. The same query can be run on HTTPProxy logs from on-premise hosted Exchange servers. Reference: https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	`23005e87-2d3a-482b-b03d-edbebd1ae151`
Severity	Medium
Kind	Scheduled
Tactics	InitialAccess
Techniques	T1190
Required Connectors	AzureMonitor(IIS)
Source	View on GitHub

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules