CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Sigma rule (View on GitHub)
1title: CVE-2020-0688 Exchange Exploitation via Web Log
2id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
3status: test
4description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
5references:
6 - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
7author: Florian Roth (Nextron Systems)
8date: 2020-02-29
9modified: 2023-01-02
10tags:
11 - attack.initial-access
12 - attack.t1190
13 - cve.2020-0688
14 - detection.emerging-threats
15logsource:
16 category: webserver
17detection:
18 selection1:
19 cs-method: 'GET'
20 cs-uri-query|contains:
21 - '/ecp/'
22 - '/owa/'
23 selection2:
24 cs-uri-query|contains: '__VIEWSTATE='
25 condition: all of selection*
26fields:
27 - c-ip
28 - c-dns
29falsepositives:
30 - Unknown
31level: critical
References
-
In February 2020, Microsoft released a patch for all versions of the Microsoft Exchange server. This patch fixes a Remote Code Execution flaw that allows an attacker to send a specially crafted pay...
Read More
Related rules
- CVE-2020-0688 Exploitation Attempt
- CVE-2020-0688 Exploitation via Eventlog
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations