valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 17:58:52 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
bda207660d
SigmaHQ/rules/windows/process_creation/sysmon_cve_2021_26857_msexchange.yml

29 lines
911 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: CVE-2021-26857 Exchange Exploitation
id: cd479ccc-d8f0-4c66-ba7d-e06286f3f887
description: Detects possible successful exploitation for vulnerability described in CVE-2021-26857 by looking for |
abnormal subprocesses spawning by Exchange Servers Unified Messaging service
author: Bhabesh Raj
status: experimental
level: critical
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26857
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
date: 2021/03/03
tags:
- attack.t1203
- attack.execution
- cve.2021-26857
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: 'UMWorkerProcess.exe'
filter:
Image|endswith:
- 'wermgr.exe'
- 'WerFault.exe'
condition: selection and not filter
falsepositives:
- Unknown
Reference in New Issue View Git Blame Copy Permalink