ProxyLogon Reset Virtual Directories Based On IIS Log
When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
Sigma rule (View on GitHub)
1title: ProxyLogon Reset Virtual Directories Based On IIS Log
2id: effee1f6-a932-4297-a81f-acb44064fa3a
3status: test
4description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
5references:
6 - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
7author: frack113
8date: 2021/08/10
9modified: 2023/05/08
10tags:
11 - cve.2021.26858
12 - detection.emerging_threats
13 - attack.initial_access
14 - attack.t1190
15logsource:
16 category: webserver
17 definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'
18detection:
19 selection:
20 cs-method: 'POST'
21 sc-status: 200
22 cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
23 cs-uri-query|contains|all:
24 - 'schema=Reset'
25 - 'VirtualDirectory'
26 cs-username|endswith: '$'
27 keywords:
28 '|all':
29 - 'POST'
30 - 200
31 - '/ecp/DDI/DDIService.svc/SetObject'
32 - 'schema=Reset'
33 - 'VirtualDirectory'
34 - '$'
35 condition: selection or keywords
36falsepositives:
37 - Unlikely
38level: critical
References
Related rules
- CVE-2021-21972 VSphere Exploitation
- CVE-2021-21978 Exploitation Attempt
- CVE-2021-33766 Exchange ProxyToken Exploitation
- CVE-2023-46747 Exploitation Activity - Proxy
- CVE-2023-46747 Exploitation Activity - Webserver