ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Sigma rule (View on GitHub)
1title: ScreenConnect User Database Modification - Security
2id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
3related:
4 - id: 1a821580-588b-4323-9422-660f7e131020
5 type: similar
6status: test
7description: |
8 This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
9 This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
10 This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
11references:
12 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
13 - https://www.cve.org/CVERecord?id=CVE-2024-1709
14 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
15author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress
16date: 2024-02-20
17tags:
18 - cve.2024-1709
19 - detection.emerging-threats
20 - attack.defense-impairment
21logsource:
22 product: windows
23 service: security
24 definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
25detection:
26 selection:
27 EventID: 4663
28 ObjectType: 'File'
29 AccessMask: '0x6'
30 ObjectName|endswith: '.xml'
31 ObjectName|contains|all:
32 - 'Temp'
33 - 'ScreenConnect'
34 ProcessName|contains: 'ScreenConnect.Service.exe'
35 condition: selection
36falsepositives:
37 - This will occur legitimately as well and will result in some benign activity.
38level: medium
References
-
-
-
This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.
Read More
Related rules
- Blackbyte Ransomware Registry
- Blue Mockingbird
- Blue Mockingbird - Registry
- CVE-2020-1048 Exploitation Attempt - Suspicious New Printer Ports - Registry
- Diamond Sleet APT Scheduled Task Creation - Registry