Emerging Threathightest
ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic1 selector
detection:
selection:
- TargetFilename|contains|all:
- 'C:\Windows\Temp\ScreenConnect\'
- '\LB3.exe'
- TargetFilename|contains:
- 'C:\mpyutd.msi'
- 'C:\perflogs\RunSchedulerTaskOnce.ps1'
- 'C:\ProgramData\1.msi'
- 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
- 'C:\ProgramData\update.dat'
- 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
- 'C:\Windows\Help\Help\SentinelAgentCore.dll'
- 'C:\Windows\Help\Help\SentinelUI.exe'
- 'C:\Windows\spsrv.exe'
- 'C:\Windows\Temp\svchost.exe'
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
References
MITRE ATT&CK
Tactics
Other
detection.emerging-threats
Rule Metadata
Rule ID
05164d17-8e11-4d7d-973e-9e4962436b87
Status
test
Level
high
Type
Emerging Threat
Created
Fri Feb 23
Path
rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml
Raw Tags
attack.defense-evasiondetection.emerging-threats