CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Sigma rule (View on GitHub)
1title: CVE-2024-50623 Exploitation Attempt - Cleo
2id: f007b877-02e3-45b7-8501-1b78c2864029
3status: experimental
4description: |
5 Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
6references:
7 - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
8author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
9date: 2024-12-09
10tags:
11 - attack.initial-access
12 - attack.execution
13 - attack.t1190
14 - cve.2024-50623
15 - detection.emerging-threats
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 selection:
21 ParentImage|endswith: '\javaw.exe'
22 ParentCommandLine|contains:
23 - 'Harmony'
24 - 'lexicom'
25 - 'VersaLex'
26 - 'VLTrader'
27 Image|endswith: '\cmd.exe'
28 CommandLine|contains:
29 - 'powershell'
30 - ' -enc '
31 - ' -EncodedCommand'
32 - '.Download'
33 condition: selection
34falsepositives:
35 - Unlikely
36level: high
References
-
Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, known as CVE-2024-55956, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.
Read More
Related rules
- Potential Exploitation of CrushFTP RCE Vulnerability (CVE-2025-54309)
- Potential SAP NetWeaver Webshell Creation
- Potential SAP NetWeaver Webshell Creation - Linux
- Suspicious Child Process of SAP NetWeaver
- Suspicious Child Process of SAP NetWeaver - Linux