CVE2024

CVE-2024-1709

3Rules

3References

1Folders

2024-02-21Latest

Summary

CVE-2024-1709 is tracked here through 3 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2024. Coverage centers on webserver, windows / file_event, windows / security.

Related Detections

Search this threat

Emerging Threatmediumtest

ScreenConnect User Database Modification

Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

WindowsFile Event

TA0003 · Persistencecve.2024-1709detection.emerging-threats

Matt Anderson+3Wed Feb 212024

Emerging Threatcriticaltest

CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Web Server Log

TA0001 · Initial AccessTA0003 · Persistencecve.2024-1709detection.emerging-threats

Matt Anderson+1Tue Feb 202024

Emerging Threatmediumtest

ScreenConnect User Database Modification - Security

This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Windowssecurity

TA0005 · Stealthcve.2024-1709detection.emerging-threats

Matt Anderson+3Tue Feb 202024

References