T1190-CVE-2020-0688漏洞利用检测
来自ATT&CK的描述
使用软件,数据或命令来利用面向Internet的计算机系统或程序中的弱点,从而导致意外或无法预期的行为。系统的弱点可能是错误、故障或设计漏洞。这些应用程序通常是网站,但是可以包括数据库(例如SQL),标准服务(例如SMB 或SSH)以及具有Internet可访问开放的任何其他应用程序,例如Web服务器和相关服务。根据所利用的缺陷,这可能包括“利用防御防卫”。
如果应用程序托管在基于云的基础架构上,则对其进行利用可能会导致基础实际应用受到损害。这可以使攻击者获得访问云API或利用弱身份和访问管理策略的路径。
对于网站和数据库,OWASP排名前10位和CWE排名前25位突出了最常见的基于Web的漏洞。
CVE-2020-0688漏洞
Microsoft Exchange Server是微软公司一套支持多种电子邮件网络协议的电子邮件服务组件,除传统的电子邮件的存取、储存、转发作用外,在新版本的产品中亦加入了一系列辅助功能,如语音邮件、邮件过滤筛选和OWA(基于Web的电子邮件存取)。
漏洞起于Microsoft Exchange服务器在安装时并没有正确创建唯一密钥,经过身份验证的攻击者可以欺骗目标服务器反序列化恶意创建的ViewState数据,使攻击者可以在Exchange Control Panel web应用上执行任意.net代码。
测试案例
具体复测可以参考
-
CVE-2020-0688:Exchange Server使用固定加密密钥远程代码执行漏洞修复通告:https://www.anquanke.com/post/id/199772
-
CVE-2020-0688_微软EXCHANGE服务的远程代码执行漏洞复现:https://www.cnblogs.com/pt007/p/12394722.html
检测日志
HTTP流量、Windows sysmon日志、IIS日志、exchange日志
测试复现
可参考上述测试案例
测试留痕
HTTP流量检测规则基于payload关键词进行检测
Windows sysmon日志检测规则基于payload关键词检测
IIS日志检测规则,留痕如下:
2020-03-09 17:16:50 ::1 POST /owa/auth.owa &CorrelationID=<empty>;&cafeReqId=9cff6edd-19a9-43c0-bdd2-a94adef6dd0c; 443 [email protected] ::1 Mozilla/4.0+(compatible;+MSIE+9.0;+Windows+NT+6.1;+MSEXCHMON;+ACTIVEMONITORING;+OWACTP) - 302 0 0 0
2020-03-09 17:16:58 172.*.*.27 GET /ecp/default.aspx __VIEWSTATEGENERATOR=B97B4E27&__VIEWSTATE=%2FwEyhAYAAQAAAP%2F%2F%2F%2F8BAAAAAAAAAAwCAAAAXk1pY3Jvc29mdC5Qb3dlclNoZWxsLkVkaXRvciwgVmVyc2lvbj0zLjAuMC4wLCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPTMxYmYzODU2YWQzNjRlMzUFAQAAAEJNaWNyb3NvZnQuVmlzdWFsU3R1ZGlvLlRleHQuRm9ybWF0dGluZy5UZXh0Rm9ybWF0dGluZ1J1blByb3BlcnRpZXMBAAAAD0ZvcmVncm91bmRCcnVzaAECAAAABgMAAACmBDxSZXNvdXJjZURpY3Rpb25hcnkNCiAgeG1sbnM9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2luZngvMjAwNi94YW1sL3ByZXNlbnRhdGlvbiINCiAgeG1sbnM6eD0iaHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS93aW5meC8yMDA2L3hhbWwiDQogIHhtbG5zOlN5c3RlbT0iY2xyLW5hbWVzcGFjZTpTeXN0ZW07YXNzZW1ibHk9bXNjb3JsaWIiDQogIHhtbG5zOkRpYWc9ImNsci1uYW1lc3BhY2U6U3lzdGVtLkRpYWdub3N0aWNzO2Fzc2VtYmx5PXN5c3RlbSI%2BDQoJIDxPYmplY3REYXRhUHJvdmlkZXIgeDpLZXk9IiIgT2JqZWN0VHlwZSA9ICJ7IHg6VHlwZSBEaWFnOlByb2Nlc3N9IiBNZXRob2ROYW1lID0gIlN0YXJ0IiA%2BDQogICAgIDxPYmplY3REYXRhUHJvdmlkZXIuTWV0aG9kUGFyYW1ldGVycz4NCiAgICAgICAgPFN5c3RlbTpTdHJpbmc%2BY2FsYy5leGU8L1N5c3RlbTpTdHJpbmc%2BDQogICAgIDwvT2JqZWN0RGF0YVByb3ZpZGVyLk1ldGhvZFBhcmFtZXRlcnM%2BDQogICAgPC9PYmplY3REYXRhUHJvdmlkZXI%2BDQo8L1Jlc291cmNlRGljdGlvbmFyeT4LJ%2F5i3bVSrOTrkun3pNej4tluDK0%3D&CorrelationID=<empty>;&cafeReqId=e0874638-b142-4c77-84c1-c0434137e691; 443 limou 10.0.254.139 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:73.0)+Gecko/20100101+Firefox/73.0 - 500 0 0 1502
检测规则/思路
sigma规则
title: CVE-2020-0688 Exchange Exploitation via Web Log
id: fce2c2e2-0fb5-41ab-a14c-5391e1fd70a5
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
logsource:
category: webserver
detection:
selection1:
cs-method: 'GET'
c-uri|contains:
- '/ecp/'
- '/owa/'
selection2:
c-uri|contains: '__VIEWSTATE='
condition: selection1 and selection2
fields:
- c-ip
- c-dns
falsepositives:
- Unknown
tags:
- attack.initial_access
- attack.t1190
level: critical
title: CVE-2020-0688 Exploitation via Eventlog
id: d6266bf5-935e-4661-b477-78772735a7cb
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
tags:
- attack.initial_access
- attack.t1190
logsource:
product: windows
service: application
detection:
selection1:
EventID: 4
Source: MSExchange Control Panel
Level: Error
selection2:
- '*&__VIEWSTATE=*'
condition: selection1 and selection2
falsepositives:
- Unknown
level: high
title: CVE-2020-0688 Exploitation IIS Eventlog
id: d6266bf5-935e-4661-b477-78772735a7cb
status: experimental
description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688
references:
- https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/
author: Florian Roth
date: 2020/02/29
tags:
- attack.initial_access
- attack.t1190
logsource:
product: windows
service: IIS
detection:
selection1:
cs-method: 'POST'
c-uri|contains: '/owa/auth.owa'
selection2:
cs-method: 'GET'
c-uri|contains: '__VIEWSTATEGENERATOR=* __VIEWSTATE='
timeframe: 3s #可根据实际情况调整
condition: selection1 and selection2
falsepositives:
- Unknown
level: high
建议
暂无
参考推荐
MITRE-ATT&CK-T1190
https://attack.mitre.org/techniques/T1190/
SIGMA rules
https://github.com/Neo23x0/sigma/pull/644/files
在MICROSOFT EXCHANGE SERVER上检测CVE-2020-0688远程执行代码漏洞