Emerging Threatmediumtest
CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Matt Anderson, Andrew Schwartz, Caleb Stewart, HuntressCreated Wed Feb 2144d7af7e-88e6-4490-be11-55f7ff4d9fc12024
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith: '\ScreenConnect.Service.exe'
TargetFilename|endswith:
- 'ScreenConnect\\App_Extensions\\*.ashx'
- 'ScreenConnect\\App_Extensions\\*.aspx'
filter_main_legit_extension:
TargetFilename|contains: 'ScreenConnect\App_Extensions\\*\\'
condition: selection and not 1 of filter_main_*False Positives
This will occur legitimately as well and will result in some benign activity.
MITRE ATT&CK
Tactics
Other
cve.2024-1708detection.emerging-threats
Rule Metadata
Rule ID
44d7af7e-88e6-4490-be11-55f7ff4d9fc1
Status
test
Level
medium
Type
Emerging Threat
Created
Wed Feb 21
Path
rules-emerging-threats/2024/Exploits/CVE-2024-1708/file_event_win_exploit_cve_2024_1708_screenconnect.yml
Raw Tags
attack.persistencecve.2024-1708detection.emerging-threats