-
500 items
1 item
88 item
169 item
9 item
11 item
13 item
213 item - For developers
In the version 1.0.1 release, this package comes with IoC data feed from MISP (https://www.circl.lu/services/misp-malware-information-sharing-platform/) , and Dashboard for "HAFNIUM Data Feed Overview" shows statics from additional active list, which is not empty by default.
On March 02, 2021, Microsoft published a detailed report addressing four previously unknown or zero-day vulnerabilities in Microsoft Exchange Server used in targeted attacks.
HAFNIUM has exploited Exchange email service that allowed them to gain access to internal systems.
This package requires Threat Intelligent Platform package which can be downloaded at https://marketplace.microfocus.com/arcsight/content/esm-default-content.
This package also comes with IoC data feed from MISP and from PWC (https://www.pwc.com/), which is stored in the following 4 active lists:
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Addresses
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Domain
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Hash
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious URL
Following use cases are covered in this package:
Following MITRE ATT&CK Techniques are covered as well:
System Requirements
===========================
Micro Focus ArcSight ESM 6.9.1c or above.
Pre-installation
===========================
If Threat Intelligent Platform package is not installed, download and install it from https://marketplace.microfocus.com/arcsight/content/esm-default-content
If the following 4 active lists are customized, please backup them first.
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Addresses
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Domain
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious Hash
/All Active Lists/ArcSight Foundation/Threat Intelligence Platform/User Defined Reputation Data/Additional Suspicious URL
To install this package:
===========================
The zip file contains three files: package arb file, signature of arb file, and Readme.
Micro Focus provides a digital public key to enable you to verify that the signed software you received is indeed from Micro Focus and has not been manipulated in any way by a third party. Visit the following site for information and instructions:
https:/entitlement.mfgs.microfocus.com/ecommerce/efulfillment/digitalSignIn.do
It is required to log in using a Microfocus/Software passport (It gives the option to create an account)
Perform the following steps in the ArcSight Console.
1. Go to the ArcSight Console.
2. Click on Packages
3. Click Import
4. Select arb file from the zip file
5. Follow prompt to import and install this package
To upgrade this package from v1.0.0.0
===========================
Just follow the installation steps to install this package without deleting the old version.
To uninstall:
===========================
Right click package from ArcSight Console, then select "Uninstall Package".
ESM 6.9.1 and above
Threat Intelligence Platform package is required to install first.
Suggested for you are based on app category, product compatibility, popularity, rating and newness. Some apps may not show based on entitlements. Learn more about entitlements.
In the version 1.0.1 release, this package comes with IoC data feed from MISP (https://www.circl.lu/services/misp-malware-information-sharing-platform/) , and Dashboard for "HAFNIUM Data Feed Overview" shows statics from additional active list.
On March 02, 2021, Microsoft published a detailed report addressing four previously unknown or zero-day vulnerabilities in Microsoft Exchange Server used in targeted attacks.
HAFNIUM has exploited Exchange email service that allowed them to gain access to internal systems.
Following use cases are covered in this package:
Dangerous Browsing to a Suspicious Hafnium URL
Hafnium Detected by Vendor
Inbound Traffic from a Hafnium Suspicious Address
Inbound Traffic from a Hafnium Suspicious Domain
Outbound Traffic to a Hafnium Suspicious Address
Outbound Traffic to a Hafnium Suspicious Domain
Suspicious Hafnium File Hash Activity
Following MITRE ATT&CK Techniques are covered as well:
T1190-Exploit Public-Facing Application
T1566.002-Spearphishing Link
Please upgrade to one of the following broswers: Internet Explorer 11 (or greater) or the latest version of Chrome or Firefox
