Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

7 rules found for "Matt Anderson"

3,707Total
3,116Detection
451Emerging
137Hunting
Emerging Threatmediumtest

CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

WindowsFile Event
TA0003 · Persistencecve.2024-1708detection.emerging-threats
Matt Anderson+3Wed Feb 212024
Emerging Threatcriticaltest

CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Windowssecurity
TA0001 · Initial AccessTA0003 · Persistencecve.2024-1708detection.emerging-threats
Matt Anderson+2Tue Feb 202024
Emerging Threatmediumtest

ScreenConnect User Database Modification

Detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.

WindowsFile Event
TA0003 · Persistencecve.2024-1709detection.emerging-threats
Matt Anderson+3Wed Feb 212024
Emerging Threatcriticaltest

CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation

Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.

Web Server Log
TA0001 · Initial AccessTA0003 · Persistencecve.2024-1709detection.emerging-threats
Matt Anderson+1Tue Feb 202024
Emerging Threatmediumtest

ScreenConnect User Database Modification - Security

This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.

Windowssecurity
TA0005 · Defense Evasioncve.2024-1709detection.emerging-threats
Matt Anderson+3Tue Feb 202024
Emerging Threathighexperimental

CVE-2024-50623 Exploitation Attempt - Cleo

Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.

WindowsProcess Creation
TA0001 · Initial AccessTA0002 · ExecutionT1190 · Exploit Public-Facing Applicationcve.2024-50623+1
Tanner Filip+3Mon Dec 092024
Emerging Threatmediumexperimental

Suspicious CrushFTP Child Process

Detects suspicious child processes spawned by the CrushFTP service that may indicate exploitation of remote code execution vulnerabilities such as CVE-2025-31161, where attackers can achieve RCE through crafted HTTP requests. The detection focuses on commonly abused Windows executables (like powershell.exe, cmd.exe etc.) that attackers typically use post-exploitation to execute malicious commands.

WindowsProcess Creation
TA0001 · Initial AccessTA0002 · ExecutionT1059.001 · PowerShellT1059.003 · Windows Command Shell+3
Craig Sweeney+6Thu Apr 102025