ProxyLogon Reset Virtual Directories Based On IIS Log

Nov 14, 2023 · cve.2021.26858 detection.emerging_threats attack.initial_access attack.t1190 ·

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Sigma rule (View on GitHub)

 1title: ProxyLogon Reset Virtual Directories Based On IIS Log
 2id: effee1f6-a932-4297-a81f-acb44064fa3a
 3status: test
 4description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
 5references:
 6    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 7author: frack113
 8date: 2021/08/10
 9modified: 2023/05/08
10tags:
11    - cve.2021.26858
12    - detection.emerging_threats
13    - attack.initial_access
14    - attack.t1190
15logsource:
16    category: webserver
17    definition: 'Requirements: The POST request body data must be collected in order to make use of this detection'
18detection:
19    selection:
20        cs-method: 'POST'
21        sc-status: 200
22        cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
23        cs-uri-query|contains|all:
24            - 'schema=Reset'
25            - 'VirtualDirectory'
26        cs-username|endswith: '$'
27    keywords:
28        '|all':
29            - 'POST'
30            - 200
31            - '/ecp/DDI/DDIService.svc/SetObject'
32            - 'schema=Reset'
33            - 'VirtualDirectory'
34            - '$'
35    condition: selection or keywords
36falsepositives:
37    - Unlikely
38level: critical

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

By Anton Medvedev, Demyan Sokolin, Vadim Khrykov

Read More

ProxyLogon Reset Virtual Directories Based On IIS Log

Sigma rule (View on GitHub)

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

Related rules