HAFNIUM - Post-Exploitation Analysis from Microsoft Exchange

it's fun to see how this thing works after speding two days patching all my exchange servers.
Thanks.

the thumbnail looks like its from a movie, great work John!

I want to thank you John because you took me to another stage in the cyber world

This is interesting stuff. We've had so many interesting (& super dangerous) exploits and vulnerabilities in last few years.
At 22:30 , it's a trick to add timestamps into URL. That's probably easiest way to make sure responses are not cached at any point. Of course it could be just lazy coding and used for monitoring purposes.
But little bit later John downloaded the payload (or w/e it turned out be) without the timestamp in URL. I'd always recommend to download payloads with exact same syntax. It's way too easy for malware developer to try to mislead here. If they had some nasty next stage, they could make it look like just like a boring and usual looking malware. And misleading the analysis is absolutely part of the game.

whole, gigantic powershell script, as a big ol’ format string? that’s neat

Been a software dev for a long time. Never seen this type of analysis done before... and watching this was absolutely fascinating.

I wasn't feeling good at all today. This video revamped me and bumped me up. Thanks John for not being just educational. But, entertaining and fun to watch too. Sending love and hoping ur having a great day

This is such an excellent primer for this sort of work, and you make it so entertaining! Looking forward to binging all your videos over the next couple of days :)

This high of production quality and you were able to put this out the same day you were prodding around. I appreciate the work you're doing, its extremely informative so thank you.

Thank you John !! Once again, I had fun and learned as much as I could (only some but that's in the right direction). You're awesome !

I thoroughly enjoyed the premiere + live chat replay feature here, as well as the content itself obviously. Keep up the good work my dude, im already recommending your channel to my friends!!!

I never commented on youtube videos before, but, I really want to thank you John Hammond for all the good work you're doing. You are F awesome and please keep it up. BTW, you are my favorite cyber-related TH-camr!

I don't know how you do it but whenever I watch one of your videos about malware analysis the time simply passes so quickly. Very entertaining thank you!

Your videos are great! I'm glad I found your channel. You have great information in a lot of topics I cover at work.

How John doesn't have millions of followers is beside me. Thank you for all this info John. Being 45 I missed the boat in the early 2000's but a year in Im hooked. Thanks to YOU David Bombal and Network Chuck you guys have helped this construction old guy immensely

Thanks for bringing awareness to such hacks. Right after the video, i checked the last few customers that still has on-premises exchange, and 75% of them were affected. We could mitigate the risk and apply fixes before anything worse happened. Thanks for this John Hammond.

Title Contains: Post Exploitation
Me: Oh Yeah, This is gonna be good

Best instructor I have come across. New subscriber here! Thank you good sir!

You’re a good guy. Don’t let the others bring you down just because you’re compiling open source information and sharing it in a logical and comprehensive manner. Though I consider myself a home brewed IT craptastistic person, I appreciate the information given every time you put up a video.

Thanks John. As a newbie, this was great. Love how you broke it up and explain this so much!!!!

Excellent work John, love your work mate!

Finishing up my final year in cybersecurity in college and videos like these make me so much more intrigued about this field, and that much more excited and motivated to learn more. Thank you for all the hard work you put into these!

Addicted to this content. How can I watch this whole video without any break?
Inner me : You found new love !

Great content John. Education and humour smashed. Big thumbs up for this one. Thanx

I'm absolutely Stoked for the NahamCon CTF!!!!

Thank you for your efforts and time, I really appreciate it.

i love all these type of videos, can't wait for more such that solarwinds or more of this helps!

Wonderful as always, great video!

Nice, You helped me a lot to understand the Threat!

I'm watching this as I going through our exchange server logs looking for backdoors :D a nice coincidance

As someone who knows next to nothing on malware analysis I had a funny feeling mimikatz would turn up haha. I have learnt so much from these exploration videos only knowing intro level programing and just learning cyber security, it was awesome to see the obsfucation techniques and layers built into this and connected so many dots for me. Awesome video.

T`han`ks for making the video! Good stuff down the rabbit hole. UGH, Empire is scary.

Also the powershell explosion + guy fawkes mask was hilarious :D

It's been a pleasure, John!

Cool thumbnail, cool video, cool person, could not asked for more :D

John, you make it very entertaining even though it makes my brain ache!

Amazing work, thank you for sharing

Hopefully no one tries to salem witch trial you for mis speaking because you are human after all.. I'm happy you are sharing public info for education. If someone gets upset about it then they must have ill intentions with that information. Keep up the great work!

Great reversing. Subscribed

Great Video!!! Can't wait for more.

Great video & I'm installing my fax machine again ;-)

Great video, thanks for sharing this!

This is professional evilness thanks for showing us this John this is very interesting to me! Big like

At around 20:54 the $dt is used to ensure cdn caching is bypassed. So the code on the cdn is static, but as soon as it is changed, the client is supposed to request a new copy.

Man, around 45:00 min in you weren't even exaggerating about that being an epiphany 😂
What a cool obfuscation technique!

Thanks for doing this. Very interesting.

Thanks John, learnt a lot.

Hey I signed up for a CTF randomly on CTFtime, and was pleasantly surprised to see it was one you created! Lol, I'm looking forward to it!

You're doing a great job Hammond

This was awesome man thanks!

can you do a longer deep dive into this sort of stuff in the future this is just magic and easy to digest

Thank you, this is very helpful!

Thank you John. As always you are very helpful and I appreciate you going through the reverse engineering process. See you on the next one! --Sage

Now I just like your content before watching! Its that good!!

Great work man!!!

great content, as usual !

Thank you John Very intresting

Crazy Thumbnail John!!

John looks intimidating in this thumbnail

Bro, just want you to know, you are awesome!

This 1Hr of video teaches more than what I have learnt in past 25 years of my life. Truly appreciate the knowledge you shared and for free.

Thanks for the good laugh when you copy and paste that big file! :) I would have done the same thing haha

Thank you, learned alot

Great Analysis

Got mind blown by that huge Powershell script made only for building an fstring piece by piece. Insane stuff!

Man that was fun and I love the recon of it

That is some next level PS scripting! Thanks for the video, John. I really enjoyed it.

Creating shellcode in a piece of malware that base64 encodes to McBAD is next level. Bravo to that 👏 👏

I like what ya’ did with the thumbnail

Most GREAT channel between others

interesting. Thanks for sharing!

Thank u! This has been a fun one. Unfortunately not out of the water yet. 🥶

Love it !!!

"I know this is really painful on 'human being' eyeballs"
John just confirmed he is a robot.

You have the coolest tech glasses 👓

OMG, that puzzle script is so cool

these videos are so fun!

Im never going to move up from my current position because....my current job has nothing to do with this subject. I am literally addicted to this madness that John keeps on about.
I literally cannot quit doing it. Lol
.. and so i will integrate this with my ongoing studies (beer drinking) as well as continue to try to keep up.

as a computer profesional i love these videos please keep doing the good work you are do.

Thumbnail looks 🔥

The image in the photo makes John look like some secret agent

video looks great

Thanks!

Us application security folks know about "format string vulnerabilities" from our C application experience, but this one is interestingly different and yet also suggests that name. :)

Seems like an easy way to get around this set of scripts in particular would be to have your environment variable something non-standard.

great, had fun

i'm not a programmer - but i love your videos!

Quick one: The long dot separated number strings at 1:04:50 such as "1.3.6.1.5.5.7.3.2" or "1.3.6.1.4.1.311.20.2.2" are SNMP MIB OIDs (en.wikipedia.org/wiki/Object_identifier).

this is what my org got hit by- i really appreciate the analysis!

your videos are great

Thank you again for a fantastic, informative video Master Hammond. You're an inspiration. ps. You say "sorry" too much. XD Own your shit my guy.

Hi, cool thumbnail!

Techcraft?
That sounds so ominous 😮
When somebody asks me if I have any hobbies, I just say that I like T.I.T.S. in my spare time.
Which OF COURSE stands for tinkering in tech services.

Serious John thumbnail exists.
Mom come pick me up I am scared

Perfect, as it should be xD

John always has to ctrl v or ctrl f something big and THEN realizes that he's made a mistake...LOL

Welldone

46:23 This is impressive. That has to be some of the most bullshit obfuscation techniques I have ever seen. And you got it. Bless you

The natural etc. strings are the join types in SQL, presumably part of SQLite

That was cool to watch , thx. Respect. And what about the ecp/y.js and webshell (aspx) files ?