Phoenix
Sigma IntelligenceBeta
Back to Rules
Emerging Threatcriticaltest

CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Matt Anderson, Caleb Stewart, HuntressCreated Tue Feb 204c198a60-7d05-4daf-8bf7-4136fb6f5c622024
Emerging Threat
Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security

Definition

Requirements: SACLs must be enabled for the ScreenConnect directory

Detection Logic
Detection Logic2 selectors
detection:
    selection:
        EventID: 4663
        ObjectType: 'File'
        ProcessName|contains: 'ScreenConnect.Service.exe'
        AccessMask: '0x6'
        ObjectName|endswith:
            - 'ScreenConnect\\App_Extensions\\*.ashx'
            - 'ScreenConnect\\App_Extensions\\*.aspx'
    filter_main_legit_extension:
        ObjectName|contains: 'ScreenConnect\App_Extensions\\*\\'
    condition: selection and not 1 of filter_main_*
False Positives
Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References
1
Resolving title…
connectwise.com
2
Resolving title…
cve.org
3
Resolving title…
huntress.com
MITRE ATT&CK

Other

cve.2024-1708detection.emerging-threats
Related Rules
SimilarEmerging Threatmedium

CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
4c198a60-7d05-4daf-8bf7-4136fb6f5c62
Status
test
Level
critical
Type
Emerging Threat
Created
Tue Feb 20
Author
Matt Anderson, Caleb Stewart, Huntress
Path
rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml
Raw Tags
attack.initial-accessattack.persistencecve.2024-1708detection.emerging-threats
View on GitHub