From eaab88ef281970a960f6c5431d811ff6bef77ae0 Mon Sep 17 00:00:00 2001
From: Rony <rony_123@protonmail.ch>
Date: Fri, 5 Mar 2021 16:51:28 +0530
Subject: [PATCH] add HAFNIUM detection refs

---
 clusters/threat-actor.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/clusters/threat-actor.json b/clusters/threat-actor.json
index 999fc78..1b198a7 100644
--- a/clusters/threat-actor.json
+++ b/clusters/threat-actor.json
@@ -8457,7 +8457,9 @@
           "https://twitter.com/ESETresearch/status/1366862946488451088",
           "https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html",
           "https://us-cert.cisa.gov/ncas/alerts/aa21-062a",
-          "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289"
+          "https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289",
+          "https://github.com/microsoft/CSS-Exchange/tree/main/Security",
+          "https://github.com/cert-lv/exchange_webshell_detection"
         ]
       },
       "uuid": "4f05d6c1-3fc1-4567-91cd-dd4637cc38b5",