valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ff5c9116a4
SigmaHQ/rules/web/web_cve_2021_26858_iis_rce.yml
frack113 ff5c9116a4
Update to w3c-logging
2021-08-11 11:28:04 +02:00

26 lines
936 B
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: ProxyLogon Reset Virtual Directories Based On IIS Log
id: effee1f6-a932-4297-a81f-acb44064fa3a
status: experimental
description: When exploiting this vulnerability with CVE-202126858, an SSRF attack is used to manipulate virtual directories
references:
- https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
author: frack113
date: 2021/08/10
logsource:
product: windows
category: webserver
definition: w3c-logging must be enable https://docs.microsoft.com/en-us/windows/win32/http/w3c-logging
detection:
selection:
cs-method: 'POST'
sc-status: 200
cs-uri-stem|startswith: '/ecp/DDI/DDIService.svc/SetObject'
cs-uri-stem|contains|all:
- 'schema=Reset'
- 'VirtualDirectory'
cs-username|endswith: '$'
condition: selection
falsepositives:
- Unlikely
level: critical
Reference in New Issue View Git Blame Copy Permalink