SigmaHQ/rules/web/web_cve_2021_26858_iis_rce.yml

title: ProxyLogon Reset Virtual Directories Based On IIS Log
id: effee1f6-a932-4297-a81f-acb44064fa3a
status: experimental
description: When exploiting this vulnerability with CVE-2021–26858, an SSRF attack is used to manipulate virtual directories
references:
    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: frack113
date: 2021/08/10
logsource:
    product: windows
    category: webserver
    definition: w3c-logging must be enable https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
detection:
    selection:
        cs-method: 'POST'
        sc-status: 200
        cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
        cs-uri-query|contains|all:
            - 'schema=Reset'
            - 'VirtualDirectory'
        cs-username|endswith: '$'
    keywords:
        - 'POST'
        - '200'
        - '/ecp/DDI/DDIService.svc/SetObject'
        - 'schema=Reset'
        - 'VirtualDirectory'
        - '$'    
    condition: selection or all of keywords
falsepositives:
    - Unlikely
level: critical