Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

6 rules found for "CVE-2024-1709"

3,731Total
3,132Detection
457Emerging
139Hunting
Emerging Threathightest

CVE-2024-1212 Exploitation - Progress Kemp LoadMaster Unauthenticated Command Injection

Detects potential exploitation of CVE-2024-1709 an unauthenticated command injection in Progress Kemp LoadMaster. It looks for GET requests to '/access/set' API with the parameters 'param=enableapi' and 'value=1' as well as an "Authorization" header with a base64 encoded value with an uncommon character.

Web Server Log
Nasreddine Bencherchali (Nextron Systems)Wed Mar 202024
Emerging Threatmediumtest

CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

WindowsFile Event
Matt Anderson+3Wed Feb 212024
Emerging Threatmediumtest

ScreenConnect User Database Modification

Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

WindowsFile Event
Matt Anderson+3Wed Feb 212024
Emerging Threatcriticaltest

CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Web Server Log
Matt Anderson+1Tue Feb 202024
Emerging Threatmediumtest

ScreenConnect User Database Modification - Security

This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Windowssecurity
Matt Anderson+3Tue Feb 202024
Emerging Threathightest

ScreenConnect - SlashAndGrab Exploitation Indicators

Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress

WindowsFile Event
Nasreddine Bencherchali (Nextron Systems)Fri Feb 232024