CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
Sigma rule (View on GitHub)
1title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
2id: d27eabad-9068-401a-b0d6-9eac744d6e67
3status: test
4description: |
5 Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
6references:
7 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
8 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
9 - https://www.cve.org/CVERecord?id=CVE-2024-1709
10author: Matt Anderson, Huntress
11date: 2024-02-20
12tags:
13 - attack.initial-access
14 - attack.persistence
15 - cve.2024-1709
16 - detection.emerging-threats
17logsource:
18 category: webserver
19detection:
20 selection:
21 cs-uri-stem|contains: '/SetupWizard.aspx/'
22 condition: selection
23falsepositives:
24 - Unknown
25level: critical
References
-
We've received notifications of suspicious activity that our incident response team has investigated.
Read More -
This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.
Read More -
Related rules
- CVE-2024-1708 - ScreenConnect Path Traversal Exploitation - Security
- ScreenConnect User Database Modification
- CVE-2021-40539 Zoho ManageEngine ADSelfService Plus Exploit
- Oracle WebLogic Exploit
- CVE-2023-1389 Potential Exploitation Attempt - Unauthenticated Command Injection In TP-Link Archer AX21