mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
29 lines
1017 B
YAML
29 lines
1017 B
YAML
title: Exploited CVE-2020-10189 Zoho ManageEngine
|
|
id: 846b866e-2a57-46ee-8e16-85fa92759be7
|
|
status: experimental
|
|
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
|
|
references:
|
|
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
|
|
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
|
|
author: Florian Roth
|
|
date: 2020/03/25
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
|
|
Image|endswith:
|
|
- '*\cmd.exe'
|
|
- '*\powershell.exe'
|
|
- '*\bitsadmin.exe'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|