CVE-2024-1708 - ScreenConnect Path Traversal Exploitation

calendar Feb 21, 2024 · attack.persistence cve.2024.1708  ·
Share on: linkedin copy

This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.

Sigma rule (View on GitHub)

 1title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
 2id: 44d7af7e-88e6-4490-be11-55f7ff4d9fc1
 3related:
 4    - id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
 5      type: similar
 6status: experimental
 7description: |
 8        This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708.
 9references:
10    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
11    - https://www.cve.org/CVERecord?id=CVE-2024-1709
12    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
13author: Matt Anderson, Andrew Schwartz, Caleb Stewart, Huntress
14date: 2024/02/21
15tags:
16    - attack.persistence
17    - cve.2024.1708
18logsource:
19    product: windows
20    category: file_event
21detection:
22    selection:
23        Image|endswith: '\ScreenConnect.Service.exe'
24        TargetFilename|endswith:
25            - 'ScreenConnect\\App_Extensions\\*.ashx'
26            - 'ScreenConnect\\App_Extensions\\*.aspx'
27    filter_main_legit_extension:
28        TargetFilename|contains: 'ScreenConnect\App_Extensions\\*\\'
29    condition: selection and not 1 of filter_main_*
30falsepositives:
31    - This will occur legitimately as well and will result in some benign activity.
32level: medium

References

Related rules

to-top