valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b7be5985e
SigmaHQ/rules/windows/file_event/sysmon_cve_2021_26858_msexchange.yml

36 lines
1.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: CVE-2021-26858 Exchange Exploitation
id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for |
creation of non-standard files on disk by Exchange Servers Unified Messaging service |
which could indicate dropping web shells or other malicious content
author: Bhabesh Raj
status: experimental
level: critical
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26858
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
tags:
- attack.t1203
- attack.execution
- cve.2021-26858
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: 'UMWorkerProcess.exe'
filter:
TargetFilename|endswith:
- 'CacheCleanup.bin'
- '.txt'
- '.LOG'
- '.cfg'
- 'cleanup.bin'
condition: selection and not filter
fields:
- ComputerName
- TargetFileName
falsepositives:
- Unknown
Reference in New Issue View Git Blame Copy Permalink