HAFNIUM Scheduled TasksHAFNIUM exploit for Exchange servers has caught everyone by storm.
In short, see if there are any IOC by running a script :
https://github.com/microsoft/CSS-Exchange/tree/main/Security
Next, run the Microsoft Support Emergency Response Tool (MSERT) to eliminate any glaring errors:
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
The notes on the MSERT are here:
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/
Some are reporting about Scheduled Tasks doing damage. Here is how to view the Scheduled Tasks:
Get-ScheduledTask |select taskname,actions -ExpandProperty actions |select taskname,execute,arguments |ft -wrap
Some reports of newly created accounts/group so let's check those as well:
$days = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADUser -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged
Get-ADGroup -Filter * -Property whenCreated | where {$_.whenCreated -gt $days} | ft Name, whenCreated
Get-ADGroup -Filter * -Property whenChanged | where {$_.whenChanged -gt $days} | ft Name, whenChanged