CVE-2020-0688 Exchange Exploitation via Web Log
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Sigma rule (View on GitHub)
1title: CVE-2020-0688 Exchange Exploitation via Web Log
2id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
3status: test
4description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
5references:
6 - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
7author: Florian Roth (Nextron Systems)
8date: 2020/02/29
9modified: 2023/01/02
10tags:
11 - attack.initial_access
12 - attack.t1190
13 - cve.2020.0688
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection1:
19 cs-method: 'GET'
20 cs-uri-query|contains:
21 - '/ecp/'
22 - '/owa/'
23 selection2:
24 cs-uri-query|contains: '__VIEWSTATE='
25 condition: all of selection*
26fields:
27 - c-ip
28 - c-dns
29falsepositives:
30 - Unknown
31level: critical
References
Related rules
- CVE-2020-0688 Exploitation Attempt
- CVE-2010-5278 Exploitation Attempt
- CVE-2020-10148 SolarWinds Orion API Auth Bypass
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit