rules/web/web_exchange_cve_2020_0688_exploit.yml

title: CVE-2020-0688 Exploitation Attempt
id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a
status: test
description: Detects CVE-2020-0688 Exploitation attempts
author: NVISO
references:
  - https://github.com/Ridter/cve-2020-0688
date: 2020/02/27
modified: 2021/11/27
logsource:
  category: webserver
detection:
  selection:
    c-uri|contains|all:
      - '/ecp/default.aspx'
      - '__VIEWSTATEGENERATOR='
      - '__VIEWSTATE='
  condition: selection
falsepositives:
  - Unknown
level: high
tags:
  - attack.initial_access
  - attack.t1190
Title capitalization 2020-02-27 12:56:56 +01:00			`title: CVE-2020-0688 Exploitation Attempt`
CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00			`id: 7c64e577-d72e-4c3d-9d75-8de6d1f9146a`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`status: test`
CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00			`description: Detects CVE-2020-0688 Exploitation attempts`
			`author: NVISO`
Second round 2020-09-15 07:02:30 -06:00			`references:`
			`- https://github.com/Ridter/cve-2020-0688`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`date: 2020/02/27`
			`modified: 2021/11/27`
CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00			`logsource:`
			`category: webserver`
			`detection:`
			`selection:`
Match on c-uri instead of c-uri-path 2020-02-27 13:23:25 +01:00			`c-uri\|contains\|all:`
$frack113$ Simple Quote 2022-01-11 13:40:53 +01:00			`- '/ecp/default.aspx'`
			`- '__VIEWSTATEGENERATOR='`
			`- '__VIEWSTATE='`
CVE 2020-0688 Exploit attempt rule 2020-02-27 12:51:10 +01:00			`condition: selection`
			`falsepositives:`
			`- Unknown`
			`level: high`
Second round 2020-09-15 07:02:30 -06:00			`tags:`
$frack113$ Change status for old rules 2021-11-27 11:33:14 +01:00			`- attack.initial_access`
			`- attack.t1190`