Description of Campaign
Unknown threat actors have exploited a remote code execution vulnerability in Microsoft SharePoint, classified under CVE-2019-0604 to attack entities in the Middle East. The flaw allows the adversary to upload a range of tools and malware including multiple web shells and the
Mimikatz tool. These tools allow attackers to move laterally across the network and steal sensitive information including passwords and system information.
- Review the following product detection table and confirm that your environment is at least on the specified content version.
To download the latest content versions, go to the Security Updates page.
- Review KB91836 - Countermeasures for entry vector threats. This article contains countermeasures for Downloaders, Droppers, and Phishing.
- Review KB87843 - Dynamic Application Containment rules and best practices. This article contains best practices for these rules.
- Review KB82925 - Identify what rule corresponds to an Adaptive Threat Protection and Threat Intelligence Exchange event. This article contains details about several Rule IDs related to ATP/JTI Rules.
Campaign IOC
| Type |
Value |
| Sha256 |
5D4628D4DD89F31236F8C56686925CBB1A9B4832F81C95A4300E64948AFEDE21 |
Minimum Content Versions:
| Content Type |
Version |
| V2 DAT (VirusScan Enterprise) |
9537 |
| V3 DAT (Endpoint Security) |
3988 |
Detection Summary:
| IOC |
Scanner |
Detection |
| 5D4628D4DD89F31236F8C56686925CBB1A9B4832F81C95A4300E64948AFEDE21 |
AVEngine V2 |
ASP/WebShell.h |
| AVEngine V3 |
ASP/WebShell.h |
| JTI (ATP Rules) |
- |
| RP Static |
- |
| RP Dynamic |
- |
