Exploited CVE-2020-10189 Zoho ManageEngine
Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
Sigma rule (View on GitHub)
1title: Exploited CVE-2020-10189 Zoho ManageEngine
2id: 846b866e-2a57-46ee-8e16-85fa92759be7
3status: test
4description: Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189
5references:
6 - https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
7 - https://vulmon.com/exploitdetails?qidtp=exploitdb&qid=48224
8author: Florian Roth (Nextron Systems)
9date: 2020/03/25
10modified: 2023/01/21
11tags:
12 - attack.initial_access
13 - attack.t1190
14 - attack.execution
15 - attack.t1059.001
16 - attack.t1059.003
17 - attack.s0190
18 - cve.2020.10189
19 - detection.emerging_threats
20logsource:
21 category: process_creation
22 product: windows
23detection:
24 selection:
25 ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe'
26 Image|endswith:
27 - '\cmd.exe'
28 - '\powershell.exe'
29 - '\pwsh.exe'
30 - '\bitsadmin.exe'
31 - '\systeminfo.exe'
32 - '\net.exe'
33 - '\net1.exe'
34 - '\reg.exe'
35 - '\query.exe'
36 condition: selection
37falsepositives:
38 - Unknown
39level: high
References
-
Mandiant has observed APT41 attempt to exploit vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.
Read More -
Vulmon is a vulnerability and exploit search engine with vulnerability intelligence features.
Read More
Related rules
- DNS RCE CVE-2020-1350
- Potential Atlassian Confluence CVE-2021-26084 Exploitation Attempt
- HTML Help HH.EXE Suspicious Child Process
- Suspicious HH.EXE Execution
- CVE-2010-5278 Exploitation Attempt