CVE-2021-26858 Exchange Exploitation
Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for creation of non-standard files on disk by Exchange Server’s Unified Messaging service which could indicate dropping web shells or other malicious content
Sigma rule (View on GitHub)
1title: CVE-2021-26858 Exchange Exploitation
2id: b06335b3-55ac-4b41-937e-16b7f5d57dfd
3status: test
4description: |
5 Detects possible successful exploitation for vulnerability described in CVE-2021-26858 by looking for
6 creation of non-standard files on disk by Exchange Server’s Unified Messaging service
7 which could indicate dropping web shells or other malicious content
8references:
9 - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
10author: Bhabesh Raj
11date: 2021-03-03
12modified: 2022-10-09
13tags:
14 - attack.t1203
15 - attack.execution
16 - cve.2021-26858
17 - detection.emerging-threats
18logsource:
19 category: file_event
20 product: windows
21detection:
22 selection:
23 Image|endswith: 'UMWorkerProcess.exe'
24 filter:
25 TargetFilename|endswith:
26 - 'CacheCleanup.bin'
27 - '.txt'
28 - '.LOG'
29 - '.cfg'
30 - 'cleanup.bin'
31 condition: selection and not filter
32fields:
33 - ComputerName
34 - TargetFilename
35falsepositives:
36 - Unknown
37level: high
References
Related rules
- CVE-2023-38331 Exploitation Attempt - Suspicious WinRAR Child Process
- Droppers Exploiting CVE-2017-11882
- Exploit for CVE-2017-0261
- Exploit for CVE-2017-8759
- Potential CVE-2021-26857 Exploitation Attempt