1. Home
  2. Mapping Frameworks
  3. Known Exploited Vulnerabilities Home
  4. Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability

Known Exploited Vulnerabilities CVE-2021-44077 Mappings

Zoho ManageEngine ServiceDesk Plus before 11306, ServiceDesk Plus MSP before 10530, and SupportCenter Plus before 11014 are vulnerable to unauthenticated remote code execution. This is related to /RestAPI URLs in a servlet, and ImportTechnicians in the Struts configuration.

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1573.001 Symmetric Cryptography
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1560.001 Archive via Utility
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1087.002 Domain Account
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1070.004 File Deletion
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1047 Windows Management Instrumentation
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1003.003 NTDS
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1136 Create Account
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1218 System Binary Proxy Execution
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1003 OS Credential Dumping
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1140 Deobfuscate/Decode Files or Information
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability secondary_impact T1027 Obfuscated Files or Information
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability primary_impact T1505.003 Web Shell
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a
CVE-2021-44077 Zoho ManageEngine ServiceDesk Plus Remote Code Execution Vulnerability exploitation_technique T1190 Exploit Public-Facing Application
Comments
CVE-2021-44077 is an unauthenticated remote code execution vulnerability. The following post-exploitation activity has been observed by adversaries: writing webshells to disk for persistence, obfuscating and deobfuscating/decoding files or information, dumping user credentials, only using signed windows binaries for follow-on actions, adding/deleting user accounts as needed, exfiltrating the active directory database, using windows management instrumentation for remote execution, deleting files to remove indicators from the host, discovering domain accounts, collecting and archiving files for exfiltration, and using symmetric encryption for command and control.
References
  1. https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-336a