ScreenConnect - SlashAndGrab Exploitation Indicators
Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
Sigma rule (View on GitHub)
1title: ScreenConnect - SlashAndGrab Exploitation Indicators
2id: 05164d17-8e11-4d7d-973e-9e4962436b87
3status: experimental
4description: |
5 Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
6references:
7 - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
8author: Nasreddine Bencherchali (Nextron Systems)
9date: 2024/02/23
10tags:
11 - attack.defense_evasion
12logsource:
13 product: windows
14 category: file_event
15detection:
16 selection:
17 - TargetFilename|contains|all:
18 - 'C:\Windows\Temp\ScreenConnect\'
19 - '\LB3.exe'
20 - TargetFilename|contains:
21 - 'C:\mpyutd.msi'
22 - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
23 - 'C:\ProgramData\1.msi'
24 - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
25 - 'C:\ProgramData\update.dat'
26 - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
27 - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
28 - 'C:\Windows\Help\Help\SentinelUI.exe'
29 - 'C:\Windows\spsrv.exe'
30 - 'C:\Windows\Temp\svchost.exe'
31 condition: selection
32falsepositives:
33 - Unknown
34level: high
References
-
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- Weak or Abused Passwords In CLI
- Custom Cobalt Strike Command Execution
- Deleting Windows Defender scheduled tasks
- FlawedGrace spawning threat injection target
- Hiding local user accounts