Exchange Exploitation CVE-2021-28480
Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
Sigma rule (View on GitHub)
1title: Exchange Exploitation CVE-2021-28480
2id: a2a9d722-0acb-4096-bccc-daaf91a5037b
3status: test
4description: Detects successful exploitation of Exchange vulnerability as reported in CVE-2021-28480
5references:
6 - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20
7author: Florian Roth (Nextron Systems)
8date: 2021/05/14
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2021.28480
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection:
19 cs-uri-query|contains: '/owa/calendar/a'
20 cs-method: 'POST'
21 filter_main_status:
22 sc-status: 503
23 condition: selection and not 1 of filter_*
24falsepositives:
25 - Unknown
26level: critical
References
Related rules
- CVE-2021-21972 VSphere Exploitation
- CVE-2021-21978 Exploitation Attempt
- CVE-2021-33766 Exchange ProxyToken Exploitation
- CVE-2023-46747 Exploitation Activity - Proxy
- CVE-2023-46747 Exploitation Activity - Webserver