Exploit Prevention
The following CVEs have been confirmed for ENS Threat Prevention Exploit Prevention.
CVE-2019-0708 |
RCE of Windows Remote Desktop Services (RDS) |
Covered by existing Network Intrusion Prevention System (NIPS) signature 6137 |
CVE-2016-0167 |
Local privilege escalation on older versions of Microsoft Windows |
Expected coverage by Generic Privilege Escalation Prevention (GPEP) |
CVE-2020-1472 |
Microsoft Active Directory escalation of privileges |
Covered by 6182 |
CVE-2020-10189 |
RCE for ZoHo ManageEngine Desktop Central |
Expert Rule below |
CVE-2019-8394 |
Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload |
Expert Rule below |
CVE-2020-0688
CVE-2019-0604 |
IIS Enveloping Signature |
Expert Rule below |
Expert Rule for CVE-2020-10189 - RCE for
ZoHo ManageEngine Desktop Central:
Rule name |
Block ZoHo ManageEngine Desktop Central RCE |
Severity |
High |
Action |
Block, Report |
Rule type |
Processes |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "**\\DesktopCentral_Server\\jre\\bin\\java.exe" }
Include PROCESS_CMD_LINE { -v "**DCStarter**" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "cmd.exe" }
Include OBJECT_NAME { -v "powershell.exe" }
Include OBJECT_NAME { -v "cscript.exe" }
Include OBJECT_NAME { -v "wscript.exe" }
Exclude PROCESS_CMD_LINE { -v "**.bat**" }
Include -access "CREATE"
}
}
} |
Notes (Optional) |
CVE-2020-10189 |
Expert Rule for CVE-2019-8394 - Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload:
Rule name |
Block Zoho ManageEngine ServiceDesk Plus (SDP) Arbitrary File Upload |
Severity |
High |
Action |
Block, Report |
Rule type |
Files |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "**\\ManageEngine\\ServiceDesk\\jre\\bin\\java.exe" }
}
Target {
Match FILE {
Include OBJECT_NAME { -v "**\\ManageEngine\\ServiceDesk\\custom\\login\\*.jsp" }
Include -access "WRITE"
}
}
} |
Notes (Optional) |
CVE-2019-8394 |
Expert Rule for CVE-2020-0688 and CVE-2019-060. This rule is an enveloping signature that prevents attacks on the IIS process using deserialization type vulnerabilities:
Rule name |
IIS Enveloping Signature |
Severity |
High |
Action |
Block, Report |
Rule type |
Processes |
Rule content |
Rule {
Process {
Include OBJECT_NAME { -v "w3wp.exe" }
}
Target {
Match PROCESS {
Include OBJECT_NAME { -v "cmd.exe" }
Include OBJECT_NAME { -v "powershell.exe" }
Include OBJECT_NAME { -v "cscript.exe" }
Include OBJECT_NAME { -v "wscript.exe" }
Include OBJECT_NAME { -v "mshta.exe" }
Include -access "CREATE"
}
}
} |
Notes (Optional) |
CVE-2020-0688
CVE-2019-0604 |