SigmaHQ/rules/web/web_exchange_cve_2020_0688_exploit.yml

title: CVE-2020-0688 Exploitation Attempt
id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a
status: experimental
description: Detects CVE-2020-0688 Exploitation attempts
author: NVISO
date: 2020/02/27
modified: 2020/09/03
references:
  - https://github.com/Ridter/cve-2020-0688
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains|all:
      - "/ecp/default.aspx"
      - "__VIEWSTATEGENERATOR="
      - "__VIEWSTATE="
  condition: selection
falsepositives:
  - Unknown
level: high
tags:
    - attack.initial_access
    - attack.t1190
Title capitalization 2020-02-27 11:56:56 +00:00			`title: CVE-2020-0688 Exploitation Attempt`
CVE 2020-0688 Exploit attempt rule 2020-02-27 11:51:10 +00:00			`id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a`
			`status: experimental`
			`description: Detects CVE-2020-0688 Exploitation attempts`
			`author: NVISO`
			`date: 2020/02/27`
att&ck tags review: web, network/zeek 2020-09-03 14:04:57 +00:00			`modified: 2020/09/03`
Second round 2020-09-15 13:02:30 +00:00			`references:`
			`- https://github.com/Ridter/cve-2020-0688`
CVE 2020-0688 Exploit attempt rule 2020-02-27 11:51:10 +00:00			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
Match on c-uri instead of c-uri-path 2020-02-27 12:23:25 +00:00			`c-uri\|contains\|all:`
CVE 2020-0688 Exploit attempt rule 2020-02-27 11:51:10 +00:00			`- "/ecp/default.aspx"`
			`- "__VIEWSTATEGENERATOR="`
			`- "__VIEWSTATE="`
			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`
Second round 2020-09-15 13:02:30 +00:00			`tags:`
			`- attack.initial_access`
			`- attack.t1190`