The sample scripts are not supported under any N-able support program or service. The sample scripts are provided AS IS without warranty of any kind, and N-able expressly disclaims all implied warranties including, warranties of merchantability or of fitness for a particular purpose. In no event shall N-able or any other party be liable for damages arising out of the use of or inability to use the sample scripts.

CVE-2021-26855 IoC RMM

Last Modified Date

3/9/2021 12:21 AM

Description

Microsoft published the following article that contains information about indicators of compromise related to CVE-2021-26855
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

This 24x7 Check will check for and fail if the IoC for CVE-2021-26855 are present on the Server.
This should not be considered a full validation that a system was not affected by CVE-2021-26855. 
Due to the nature of the vulnerability sufficiently advanced threat actors will be able to remove these indicators and further forensic analysis of the server may be required.

Type

Custom Service / Script Check

Category

Windows Services

Target OS

Windows Server 2012 / 2012R2;Windows Server 2016;Windows Server 2019

Compatible with N-Central

No

N-Central minimum version

Compatible with RMM

Yes

Syntax

Only use for Exchange Servers. Check will always fail on systems not running Exchange.

Output

Will output pass or fail conditions to More Information column of the check.

Keywords

CVE-2021-26855 Exchange IOC proxylogon

Related Content