CVE-2020-0688 Exploitation via Eventlog
Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
Sigma rule (View on GitHub)
1title: CVE-2020-0688 Exploitation via Eventlog
2id: d6266bf5-935e-4661-b477-78772735a7cb
3status: test
4description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
5references:
6 - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
7 - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/
8author: Florian Roth (Nextron Systems), wagga
9date: 2020/02/29
10modified: 2022/12/25
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - cve.2020.0688
15 - detection.emerging_threats
16logsource:
17 product: windows
18 service: application
19detection:
20 selection1:
21 EventID: 4
22 Provider_Name: 'MSExchange Control Panel'
23 Level: Error
24 selection2:
25 - '&__VIEWSTATE='
26 condition: all of selection*
27falsepositives:
28 - Unknown
29level: high
References
-
Microsoft recently released a patch for all versions of the Microsoft Exchange server. This patch fixes a Remote Code Execution flaw that allows an attacker to send a specially crafted payload to t...
Read More
Related rules
- CVE-2020-0688 Exchange Exploitation via Web Log
- CVE-2020-0688 Exploitation Attempt
- LPE InstallerFileTakeOver PoC CVE-2021-41379
- Potential CVE-2023-27997 Exploitation Indicators
- Arcadyan Router Exploitations