Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatcriticaltest

ProxyLogon Reset Virtual Directories Based On IIS Log

When exploiting this vulnerability with CVE-2021-26858, an SSRF attack is used to manipulate virtual directories

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
François HubautCreated Tue Aug 10Updated Mon May 08effee1f6-a932-4297-a81f-acb44064fa3a2021
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Web Server Log
CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Definition

Requirements: The POST request body data must be collected in order to make use of this detection

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        cs-method: 'POST'
        sc-status: 200
        cs-uri-stem: '/ecp/DDI/DDIService.svc/SetObject'
        cs-uri-query|contains|all:
            - 'schema=Reset'
            - 'VirtualDirectory'
        cs-username|endswith: '$'
    keywords:
        '|all':
            - 'POST'
            - 200
            - '/ecp/DDI/DDIService.svc/SetObject'
            - 'schema=Reset'
            - 'VirtualDirectory'
            - '$'
    condition: selection or keywords
False Positives
Unlikely

False positives are unlikely for most environments. High confidence detection.

References
1
Resolving title…
bi-zone.medium.com
MITRE ATT&CK

Other

cve.2021-26858detection.emerging-threats
Rule Metadata
Rule ID
effee1f6-a932-4297-a81f-acb44064fa3a
Status
test
Level
critical
Type
Emerging Threat
Created
Tue Aug 10
Modified
Mon May 08
Author
François Hubaut
Path
rules-emerging-threats/2021/Exploits/CVE-2021-26858/web_cve_2021_26858_iis_rce.yml
Raw Tags
cve.2021-26858detection.emerging-threatsattack.initial-accessattack.t1190
View on GitHub