ProxyLogon Reset Virtual Directories Based On IIS Log

Aug 28, 2023 · cve.2021.26858 detection.emerging_threats attack.initial_access attack.t1190 ·

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Sigma rule (View on GitHub)

 1title: ProxyLogon Reset Virtual Directories Based On IIS Log
 2id: effee1f6-a932-4297-a81f-acb44064fa3a
 3status: test
 4description: When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories
 5references:
 6    - https://bi-zone.medium.com/hunting-down-ms-exchange-attacks-part-1-proxylogon-cve-2021-26855-26858-27065-26857-6e885c5f197c
 7author: frack113
 8date: 2021/08/10
 9modified: 2023/05/08
10tags:
11    - cve.2021.26858
12    - detection.emerging_threats
13    - attack.initial_access
14    - attack.t1190
15logsource:
16    category: webserver
17detection:
18    selection:
19        cs-method: 'POST'
20        sc-status: 200
21        cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
22        cs-uri-query|contains|all:
23            - 'schema=Reset'
24            - 'VirtualDirectory'
25        cs-username|endswith: '$'
26    keywords:
27        '|all':
28            - 'POST'
29            - 200
30            - '/ecp/DDI/DDIService.svc/SetObject'
31            - 'schema=Reset'
32            - 'VirtualDirectory'
33            - '$'
34    condition: selection or keywords
35falsepositives:
36    - Unlikely
37level: critical

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

By Anton Medvedev, Demyan Sokolin, Vadim Khrykov

Read More

ProxyLogon Reset Virtual Directories Based On IIS Log

Sigma rule (View on GitHub)

References

Hunting Down MS Exchange Attacks. Part 1. ProxyLogon (CVE-2021–26855, 26858, 27065, 26857)

Related rules