title: Possible Exploitation of Exchange RCE CVE-2021-42321
author: Florian Roth, @testanull
date: 2021/11/18
description: Detects log entries that appear in exploitation attempts against MS Exchange
  RCE CVE-2021-42321
detection:
  condition: 'Cmdlet failed. Cmdlet Get-App, '
falsepositives:
- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
level: critical
logsource:
  product: windows
  service: msexchange-management
references:
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
status: experimental
tags:
- attack.lateral_movement
- attack.t1210
ruletype: SIGMA