CVE-2021-33766 Exchange ProxyToken Exploitation
Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
Sigma rule (View on GitHub)
1title: CVE-2021-33766 Exchange ProxyToken Exploitation
2id: 56973b50-3382-4b56-bdf5-f51a3183797a
3status: test
4description: Detects the exploitation of Microsoft Exchange ProxyToken vulnerability as described in CVE-2021-33766
5references:
6 - https://www.zerodayinitiative.com/blog/2021/8/30/proxytoken-an-authentication-bypass-in-microsoft-exchange-server
7author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Christian Burkard (Nextron Systems)
8date: 2021/08/30
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2021.33766
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection_1:
19 cs-method: 'POST'
20 cs-uri-query|contains|all:
21 - '/ecp/'
22 - '/RulesEditor/InboxRules.svc/NewObject'
23 sc-status: 500
24 selection_2:
25 cs-uri-query|contains|all:
26 - 'SecurityToken='
27 - '/ecp/'
28 sc-status: 500
29 condition: 1 of selection_*
30falsepositives:
31 - Unknown
32level: critical
References
Related rules
- CVE-2021-21972 VSphere Exploitation
- CVE-2021-21978 Exploitation Attempt
- CVE-2023-46747 Exploitation Activity - Proxy
- CVE-2023-46747 Exploitation Activity - Webserver
- Confluence Exploitation CVE-2019-3398