Last Modified Date3/9/2021 12:21 AM
Microsoft published the following article that contains information about indicators of compromise related to CVE-2021-26855
This Service Monitor will check for and fail if the IoC for CVE-2021-26855 are present on the Server.
This should not be considered a full validation that a system was not affected by CVE-2021-26855.
Due to the nature of the vulnerability sufficiently advanced threat actors will be able to remove these indicators and further forensic analysis of the server may be required.
Custom Service / Script Check
Windows Server 2012 / 2012R2;Windows Server 2016;Windows Server 2019
Compatible with N-Central
N-Central minimum version
Compatible with RMM
No input required.
Should only be used on Exchange Servers as Service Monitor will fail unpredictably if Exchange is not present.
An Output variable for the Global Variable CVE_2021_26855 will need to be set with Automation Manager.
Pass: No empty AuthenticatedUser
Unknown: unable to locate
CVE-2021-26855 IOC Exchange proxylogon