42 lines
1.2 KiB
YAML
42 lines
1.2 KiB
YAML
title: Exploited CVE-2020-10189 Zoho ManageEngine
|
|
author: Florian Roth
|
|
date: 2020/03/25
|
|
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization
|
|
vulnerability reported as CVE-2020-10189
|
|
detection:
|
|
SELECTION_1:
|
|
EventID: 1
|
|
SELECTION_2:
|
|
ParentImage: '*DesktopCentral_Server\jre\bin\java.exe'
|
|
SELECTION_3:
|
|
Image: '*\cmd.exe'
|
|
SELECTION_4:
|
|
Image: '*\powershell.exe'
|
|
SELECTION_5:
|
|
Image: '*\bitsadmin.exe'
|
|
condition: (SELECTION_1 and SELECTION_2 and (SELECTION_3 or SELECTION_4 or SELECTION_5))
|
|
falsepositives:
|
|
- Unknown
|
|
id: 846b866e-2a57-46ee-8e16-85fa92759be7
|
|
level: critical
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
references:
|
|
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
|
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
|
|
status: experimental
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086
|
|
- attack.t1059.003
|
|
- attack.t1059
|
|
- attack.s0190
|
|
- cve.2020.10189
|
|
yml_filename: win_exploit_cve_2020_10189.yml
|
|
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation
|
|
|