Possible Exploitation of Exchange RCE CVE-2021-42321

Aug 12, 2024 · attack.lateral-movement attack.t1210 detection.emerging-threats ·

Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321

Sigma rule (View on GitHub)

 1title: Possible Exploitation of Exchange RCE CVE-2021-42321
 2id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
 3status: test
 4description: Detects log entries that appear in exploitation attempts against MS Exchange RCE CVE-2021-42321
 5references:
 6    - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
 7author: 'Florian Roth (Nextron Systems), @testanull'
 8date: 2021-11-18
 9modified: 2022-07-12
10tags:
11    - attack.lateral-movement
12    - attack.t1210
13    - detection.emerging-threats
14logsource:
15    product: windows
16    service: msexchange-management
17    # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
18detection:
19    selection:
20        EventID:
21            - 6
22            - 8
23        Data|contains:
24            - 'Cmdlet failed. Cmdlet Get-App, '
25            - 'Task Get-App throwing unhandled exception: System.InvalidCastException:'
26    condition: selection
27falsepositives:
28    - Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
29level: high

References

Security Update Guide - Microsoft Security Response Center

Read More

Possible Exploitation of Exchange RCE CVE-2021-42321

Sigma rule (View on GitHub)

References

Security Update Guide - Microsoft Security Response Center

Related rules