Support Center > Search Results > SecureKnowledge Details
Check Point response to HAFNIUM Attack Technical Level
Check Point provides comprehensive security coverage to the vulnerabilities reported by Microsoft with the following Threat Prevention protections:


  1. CVE-2021-26855 - CPAI-2021-0099
  2. CVE-2021-26857 - CPAI-2021-0107
  3. CVE-2021-26858 - CPAI-2021-0107
  4. CVE-2021-27065 - CPAI-2021-0099

Threat Emulation

  1. Trojan.WinsCVE-2021-27065.A


  2. Trojan.Win32.Hafnium.TC.XXX

Harmony Endpoint (SandBlast Agent)

  1. Behavioral.Win.SuspExchange.A
  2. Behavioral.Win.SuspExchange.B
  3. Behavioral.Win.SuspExchange.C
  4. Behavioral.Win.SuspExchange.D

Threat Hunting

Check Point added a set of predefined queries to Harmony Endpoint Threat Hunting. If you find a match for any of these queries, investigate it immediately. This is the list of the queries:

  1. HAFNIUM: Web Shell File Hashes
  2. HAFNIUM: Abnormal Exchange Server process execution
  3. HAFNIUM: Credential Dumping using procdump.exe
  4. HAFNIUM: Credential Dumping utilizing a DLL
  5. HAFNIUM: Suspicious PowerShell usage
  6. HAFNIUM: Suspicious script execution utilizing PowerCat
  7. HAFNIUM: Suspicious Exchange PowerShell Snapin load
  8. HAFNIUM: Suspicious IPs outbound traffic
  9. HAFNIUM: Suspicious IPs inbound traffic
  10. HAFNIUM: Creation of suspicious files by the Exchange Server
  11. HAFNIUM: Creation of suspicious files by the Exchange Server 2
  12. HAFNIUM: Known Web Shell file names
  13. HAFNIUM: ASPX Web Shell file based indicator
  14. HAFNIUM: ASPX Web Shell file based indicator 2
  15. HAFNIUM: Exfiltration file based indicators
  16. HAFNIUM: Suspicious AMSI content

Give us Feedback
Please rate this document