JohnHammond/SetupWizard_sigma_rule.yml Secret

## SetupWizard_sigma_rule.yml
title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
id: d27eabad-9068-401a-b0d6-9eac744d6e67
status: experimental
description: |
    Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
references:
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
    - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
    - https://www.cve.org/CVERecord?id=CVE-2024-1709
author: Matt Anderson, Huntress
date: 2024/02/20
tags:
    - attack.initial_access
    - attack.persistence
    - cve.2024.1709
logsource:
    category: webserver
detection:
    selection:
        cs-uri-stem|contains: '/SetupWizard.aspx/'
    condition: selection
falsepositives:
    - Unknown
level: critical
	title: CVE-2024-1709 - ScreenConnect Authentication Bypass Exploitation
	id: d27eabad-9068-401a-b0d6-9eac744d6e67
	status: experimental
	description: \|
	Detects GET requests to '/SetupWizard.aspx/[anythinghere]' that indicate exploitation of the ScreenConnect vulnerability CVE-2024-1709.
	references:
	- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
	- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
	- https://www.cve.org/CVERecord?id=CVE-2024-1709
	author: Matt Anderson, Huntress
	date: 2024/02/20
	tags:
	- attack.initial_access
	- attack.persistence
	- cve.2024.1709
	logsource:
	category: webserver
	detection:
	selection:
	cs-uri-stem\|contains: '/SetupWizard.aspx/'
	condition: selection
	falsepositives:
	- Unknown
	level: critical