CVE-2021-26857 Detection
Summary
This document describes a remote PowerShell monitor that detects the status of the Microsoft Exchange Server Remote Code Execution Vulnerability CVE-2021-26857 on Windows Exchange Servers.
Details
Suggested "Limit to": Microsoft Exchange Server 2013, 2016, or 2019.
Suggested Alert Style: Once
Suggested Alert Template: Default Create automate Ticket.
Insert the details of the monitor in the table below.
| Check Action | Server Address | Check Type | Check Value | Comparator | Interval | Result |
|---|---|---|---|---|---|---|
| system | 127.0.0.1 | Runfile | Check Below | Missing | 3600 |
Check Value: C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe -ExecutionPolicy Bypass -Command "(Get-EventLog -LogName System -Source 'MSExchange Unified Messaging' -EntryType Error -ErrorAction SilentlyContinue | Where-Object { $_.Message -like '*System.InvalidCastException*' })"
Target
Microsoft Exchange Servers only.