ScreenConnect User Database Modification - Security
This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server. This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
Sigma rule (View on GitHub)
1title: ScreenConnect User Database Modification - Security
2id: 4109cb6a-a4af-438a-9f0c-056abba41c6f
3related:
4 - id: 1a821580-588b-4323-9422-660f7e131020
5 type: similar
6status: test
7description: |
8 This detects file modifications to the temporary xml user database file indicating local user modification in the ScreenConnect server.
9 This will occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions <23.9.8, but may also be observed when making legitimate modifications to local users or permissions.
10 This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
11references:
12 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
13 - https://www.cve.org/CVERecord?id=CVE-2024-1709
14 - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
15author: Matt Anderson, Kris Luzadre, Andrew Schwartz, Huntress
16date: 2024-02-20
17tags:
18 - attack.defense-evasion
19 - cve.2024-1709
20 - detection.emerging-threats
21logsource:
22 product: windows
23 service: security
24 definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
25detection:
26 selection:
27 EventID: 4663
28 ObjectType: 'File'
29 AccessMask: '0x6'
30 ObjectName|endswith: '.xml'
31 ObjectName|contains|all:
32 - 'Temp'
33 - 'ScreenConnect'
34 ProcessName|contains: 'ScreenConnect.Service.exe'
35 condition: selection
36falsepositives:
37 - This will occur legitimately as well and will result in some benign activity.
38level: medium
References
-
We've received notifications of suspicious activity that our incident response team has investigated.
Read More -
-
This blog discusses the Huntress Team's analysis efforts of the two vulnerabilities and software weaknesses in ConnectWise ScreenConnect (CVE-2024-1708 and CVE-2024-1709) and the technical details behind this attack.
Read More
Related rules
- CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
- Forest Blizzard APT - File Creation Activity
- Forest Blizzard APT - Process Creation Activity
- Lummac Stealer Activity - Execution Of More.com And Vbc.exe
- Pikabot Fake DLL Extension Execution Via Rundll32.EXE