mirror of
https://github.com/valitydev/SigmaHQ.git
synced 2024-11-07 17:58:52 +00:00
35 lines
1.1 KiB
YAML
35 lines
1.1 KiB
YAML
title: Exploited CVE-2020-10189 Zoho ManageEngine
|
|
id: 846b866e-2a57-46ee-8e16-85fa92759be7
|
|
status: experimental
|
|
description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
|
|
references:
|
|
- https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
|
|
- https://nvd.nist.gov/vuln/detail/CVE-2020-10189
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10189
|
|
- https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
|
|
author: Florian Roth
|
|
date: 2020/03/25
|
|
tags:
|
|
- attack.initial_access
|
|
- attack.t1190
|
|
- attack.execution
|
|
- attack.t1059.001
|
|
- attack.t1086 # an old one
|
|
- attack.t1059.003
|
|
- attack.t1059 # an old one
|
|
- attack.s0190
|
|
logsource:
|
|
category: process_creation
|
|
product: windows
|
|
detection:
|
|
selection:
|
|
ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
|
|
Image|endswith:
|
|
- '\cmd.exe'
|
|
- '\powershell.exe'
|
|
- '\bitsadmin.exe'
|
|
condition: selection
|
|
falsepositives:
|
|
- Unknown
|
|
level: critical
|