Emerging Threatcriticaltest

CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Matt Anderson, HuntressCreated Tue Feb 20d27eabad-9068-401a-b0d6-9eac744d6e672024

Emerging Threat

Active Threat

Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.

Log Source

Web Server Log

CategoryWeb Server Log← raw: webserver

HTTP access logs from web servers capturing request paths, methods, and status codes.

Detection Logic

detection:
    selection:
        cs-uri-stem|contains: '/SetupWizard.aspx/'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

Other

cve.2024-1709detection.emerging-threats

Rule Metadata

Rule ID

d27eabad-9068-401a-b0d6-9eac744d6e67

Status

test

Level

critical

Type

Emerging Threat

Created

Tue Feb 20

Author

Path

rules-emerging-threats/2024/Exploits/CVE-2024-1709/web_exploit_cve_2024_1709_screenconnect.yml

Raw Tags

attack.initial-accessattack.persistencecve.2024-1709detection.emerging-threats