CVE-2021-26858 Exchange Exploitation

 1title: CVE-2021-26858 Exchange Exploitation
 2id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
 3status: test
 4description: |
 5    Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
 6    creation of non-standard files on disk by Exchange Server’s Unified Messaging service
 7    which could indicate dropping web shells or other malicious content    
 8references:
 9    - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
10author: Bhabesh Raj
11date: 2021-03-03
12modified: 2022-10-09
13tags:
14    - attack.t1203
15    - attack.execution
16    - cve.2021-26858
17    - detection.emerging-threats
18logsource:
19    category: file_event
20    product: windows
21detection:
22    selection:
23        Image|endswith: 'UMWorkerProcess.exe'
24    filter:
25        TargetFilename|endswith:
26            - 'CacheCleanup.bin'
27            - '.txt'
28            - '.LOG'
29            - '.cfg'
30            - 'cleanup.bin'
31    condition: selection and not filter
32falsepositives:
33    - Unknown
34level: high

References

• HAFNIUM targeting Exchange Servers with 0-day exploits | Microsoft Security Blog

  

  Microsoft has detected multiple 0-day exploits being used to attack on-premises versions of Microsoft Exchange Server in limited and targeted attacks. In the attacks observed, threat actors used this vulnerability to access on-premises Exchange servers, which enabled access to email accounts, and install additional malware to facilitate long-term access to victim environments. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM.

  
  Read More

Related rules

• Droppers Exploiting CVE-2017-11882
• OMIGOD HTTP No Authentication RCE - CVE-2021-38647
• Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
• Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
• CVE-2021-31979 CVE-2021-33771 Exploits