The sample scripts are not supported under any N-able support program or service. The sample scripts are provided AS IS without warranty of any kind, and N-able expressly disclaims all implied warranties including, warranties of merchantability or of fitness for a particular purpose. In no event shall N-able or any other party be liable for damages arising out of the use of or inability to use the sample scripts.

CVE-2021-26855 IOC N-Central

Last Modified Date

3/9/2021 12:21 AM

Description

Microsoft published the following article that contains information about indicators of compromise related to CVE-2021-26855
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

This Service Monitor will check for and fail if the IoC for CVE-2021-26855 are present on the Server.
This should not be considered a full validation that a system was not affected by CVE-2021-26855. 
Due to the nature of the vulnerability sufficiently advanced threat actors will be able to remove these indicators and further forensic analysis of the server may be required.

Type

Custom Service / Script Check

Category

Windows Services

Target OS

Windows Server 2012 / 2012R2;Windows Server 2016;Windows Server 2019

Compatible with N-Central

Yes

N-Central minimum version

Compatible with RMM

No

Syntax

No input required.
Should only be used on Exchange Servers as Service Monitor will fail unpredictably if Exchange is not present.

Output

An Output variable for the Global Variable CVE_2021_26855 will need to be set with Automation Manager.
Pass: No empty AuthenticatedUser
Fail: compromised
Unknown: unable to locate
 

Keywords

CVE-2021-26855 IOC Exchange proxylogon

Related Content