CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Sigma rule (View on GitHub)
1title: CVE-2020-0688 Exploitation via Eventlog
2id: d6266bf5-935e-4661-b477-78772735a7cb
3status: test
4description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
5references:
6 - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
7 - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
8author: Florian Roth (Nextron Systems), wagga
9date: 2020-02-29
10modified: 2022-12-25
11tags:
12 - attack.initial-access
13 - attack.t1190
14 - cve.2020-0688
15 - detection.emerging-threats
16logsource:
17 product: windows
18 service: application
19detection:
20 selection1:
21 EventID: 4
22 Provider_Name: 'MSExchange Control Panel'
23 Level: Error
24 selection2:
25 - '&__VIEWSTATE='
26 condition: all of selection*
27falsepositives:
28 - Unknown
29level: high
References
-
In February 2020, Microsoft released a patch for all versions of the Microsoft Exchange server. This patch fixes a Remote Code Execution flaw that allows an attacker to send a specially crafted pay...
Read More -
This time we will talk about the techniques used to detect other notorious MS Exchange Server vulnerabilities, namely CVE-2020-0688, CVE-2020-16875 and CVE-2021-24085
Read More
Related rules
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - Weblogs
- Arcadyan Router Exploitations