Exploited CVE-2020-10189 Zoho ManageEngine

 1title: Exploited CVE-2020-10189 Zoho ManageEngine
 2id: 846b866e-2a57-46ee-8e16-85fa92759be7
 3status: test
 4description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
 5references:
 6    - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
 7    - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
 8author: Florian Roth (Nextron Systems)
 9date: 2020-03-25
10modified: 2023-01-21
11tags:
12    - attack.initial-access
13    - attack.t1190
14    - attack.execution
15    - attack.t1059.001
16    - attack.t1059.003
17    - attack.s0190
18    - cve.2020-10189
19    - detection.emerging-threats
20logsource:
21    category: process_creation
22    product: windows
23detection:
24    selection:
25        ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
26        Image|endswith:
27            - '\cmd.exe'
28            - '\powershell.exe'
29            - '\pwsh.exe'
30            - '\bitsadmin.exe'
31            - '\systeminfo.exe'
32            - '\net.exe'
33            - '\net1.exe'
34            - '\reg.exe'
35            - '\query.exe'
36    condition: selection
37falsepositives:
38    - Unknown
39level: high

References

• APT41 Initiates Intrusion Campaign Using Multiple Exploits | Google Cloud Blog

  

  Mandiant has observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC

  
  Read More

• Vulmon is a vulnerability and exploit search engine with vulnerability intelligence features.

  
  Read More

Related rules

• DNS RCE CVE-2020-1350
• HTML Help HH.EXE Suspicious Child Process
• Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
• Potential Baby Shark Malware Activity
• Potential CVE-2022-26809 Exploitation Attempt