22 lines
667 B
YAML
22 lines
667 B
YAML
title: Possible Exploitation of Exchange RCE CVE-2021-42321
|
|
author: Florian Roth, @testanull
|
|
date: 2021/11/18
|
|
description: Detects log entries that appear in exploitation attempts against MS Exchange
|
|
RCE CVE-2021-42321
|
|
detection:
|
|
condition: 'Cmdlet failed. Cmdlet Get-App, '
|
|
falsepositives:
|
|
- Unknown, please report false positives via https://github.com/SigmaHQ/sigma/issues
|
|
id: c92f1896-d1d2-43c3-92d5-7a5b35c217bb
|
|
level: critical
|
|
logsource:
|
|
product: windows
|
|
service: msexchange-management
|
|
references:
|
|
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42321
|
|
status: experimental
|
|
tags:
|
|
- attack.lateral_movement
|
|
- attack.t1210
|
|
ruletype: SIGMA
|