Emerging Threathightest

CVE-2020-0688 Exploitation via Eventlog

Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Florian Roth (Nextron Systems), waggaCreated Sat Feb 29Updated Sun Dec 25d6266bf5-935e-4661-b477-78772735a7cb2020

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection1:
        EventID: 4
        Provider_Name: 'MSExchange Control Panel'
        Level: Error
    selection2:
        - '&__VIEWSTATE='
    condition: all of selection*

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Other

cve.2020-0688detection.emerging-threats

Rule Metadata

Rule ID

d6266bf5-935e-4661-b477-78772735a7cb

Status

test

Level

high

Type

Emerging Threat

Created

Sat Feb 29

Modified

Sun Dec 25

Author

Florian Roth (Nextron Systems), wagga

Path

rules-emerging-threats/2020/Exploits/CVE-2020-0688/win_vul_cve_2020_0688.yml

Raw Tags

attack.initial-accessattack.t1190cve.2020-0688detection.emerging-threats

View on GitHub