mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-08 18:23:52 +00:00
36 lines
1.1 KiB
YAML
36 lines
1.1 KiB
YAML
title: CVE-2021-26858 Exchange Exploitation
|
||
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
|
||
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for |
|
||
creation of non-standard files on disk by Exchange Server’s Unified Messaging service |
|
||
which could indicate dropping web shells or other malicious content
|
||
author: Bhabesh Raj
|
||
status: experimental
|
||
level: critical
|
||
references:
|
||
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
|
||
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
|
||
date: 2021/03/03
|
||
tags:
|
||
- attack.t1203
|
||
- attack.execution
|
||
- cve.2021-26858
|
||
logsource:
|
||
category: file_event
|
||
product: windows
|
||
detection:
|
||
selection:
|
||
Image|endswith: 'UMWorkerProcess.exe'
|
||
filter:
|
||
TargetFilename|endswith:
|
||
- 'CacheCleanup.bin'
|
||
- '.txt'
|
||
- '.LOG'
|
||
- '.cfg'
|
||
- 'cleanup.bin'
|
||
condition: selection and not filter
|
||
fields:
|
||
- ComputerName
|
||
- TargetFileName
|
||
falsepositives:
|
||
- Unknown
|