title: CVE-2020-0688 Exchange Exploitation via Web Log
id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 
references:
    - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
logsource:
    category: webserver
detection:
    selection:
        cs-method: 'GET'
        c-uri|contains:
            - '/ecp/'
            - '/owa/'
        c-uri|contains: '__VIEWSTATE=' 
    condition: selection
fields:
    - c-ip
    - c-dns
falsepositives:
    - Unknown
tags:
    - attack.initial_access
    - attack.t1190
level: critical