CVE-2024-50623 Exploitation Attempt - Cleo
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Sigma rule (View on GitHub)
1title: CVE-2024-50623 Exploitation Attempt - Cleo
2id: f007b877-02e3-45b7-8501-1b78c2864029
3status: experimental
4description: |
5 Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
6references:
7 - https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
8author: Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
9date: 2024-12-09
10tags:
11 - attack.execution
12 - attack.t1190
13logsource:
14 category: process_creation
15 product: windows
16detection:
17 selection:
18 ParentImage|endswith: '\javaw.exe'
19 ParentCommandLine|contains:
20 - 'Harmony'
21 - 'lexicom'
22 - 'VersaLex'
23 - 'VLTrader'
24 Image|endswith: '\cmd.exe'
25 CommandLine|contains:
26 - 'powershell'
27 - ' -enc '
28 - ' -EncodedCommand'
29 - '.Download'
30 condition: selection
31falsepositives:
32 - Unlikely
33level: high
References
-
Huntress identified an emerging threat involving Cleo’s LexiCom, VLTransfer, and Harmony software, known as CVE-2024-50623, commonly used to manage file transfers. Read more about this emerging threat on the Huntress Blog.
Read More
Related rules
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Linux)
- CVE-2023-22518 Exploitation Attempt - Suspicious Confluence Child Process (Windows)
- F5 BIG-IP iControl Rest API Command Execution - Webserver
- Potential CVE-2022-22954 Exploitation Attempt - VMware Workspace ONE Access Remote Code Execution
- Atlassian Confluence CVE-2022-26134