CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
Sigma rule (View on GitHub)
1title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
2id: d27eabad-9068-401a-b0d6-9eac744d6e67
3status: experimental
4description: |
5 Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
6references:
7 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
8 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
9 - https://www.cve.org/CVERecord?id=CVE-2024-1709
10author: Matt Anderson, Huntress
11date: 2024-02-20
12tags:
13 - attack.initial-access
14 - attack.persistence
15 - cve.2024-1709
16logsource:
17 category: webserver
18detection:
19 selection:
20 cs-uri-stem|contains: '/SetupWizard.aspx/'
21 condition: selection
22falsepositives:
23 - Unknown
24level: critical
References
-
We've received notifications of suspicious activity that our incident response team has investigated.
Read More -
This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel