JohnHammond/App_Extensions_sigma_rule.yml Secret

## App_Extensions_sigma_rule.yml
title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
status: experimental
description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8.  This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
references:
  - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
  - https://www.cve.org/CVERecord?id=CVE-2024-1708
  - https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
author: Huntress DE&TH Team
date: 2024/02/20
tags:
  - attack.initial_access
  - attack.persistence
  - cve.2024.1709
logsource:
  product: windows
  service: security
  definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
detection:
  selection:
      EventID: 4663
      ObjectType: 'File'
      ProcessName|contains: 'ScreenConnect.Service.exe'
      AccessMask: '0x6'
      ObjectName|endswith:
          - 'ScreenConnect\\App_Extensions\\*.ashx'
          - 'ScreenConnect\\App_Extensions\\*.aspx'
  legitimate_path:
      ObjectName|contains: 'ScreenConnect\App_Extensions\\*\\'
  condition: selection and not legitimate_path
falsepositives:
  - Unknown
level: critical
	title: CVE-2024-1708 - ScreenConnect Path Traversal Exploitation
	id: 4c198a60-7d05-4daf-8bf7-4136fb6f5c62
	status: experimental
	description: This detects file modifications to ASPX and ASHX files within the root of the App_Extensions directory, which is allowed by a ZipSlip vulnerability in versions prior to 23.9.8. This occurs during exploitation of CVE-2024-1708. This requires an Advanced Auditing policy to log a successful Windows Event ID 4663 events and with a SACL set on the directory.
	references:
	- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
	- https://www.cve.org/CVERecord?id=CVE-2024-1708
	- https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
	author: Huntress DE&TH Team
	date: 2024/02/20
	tags:
	- attack.initial_access
	- attack.persistence
	- cve.2024.1709
	logsource:
	product: windows
	service: security
	definition: 'Requirements: SACLs must be enabled for the ScreenConnect directory'
	detection:
	selection:
	EventID: 4663
	ObjectType: 'File'
	ProcessName\|contains: 'ScreenConnect.Service.exe'
	AccessMask: '0x6'
	ObjectName\|endswith:
	- 'ScreenConnect\\App_Extensions\\*.ashx'
	- 'ScreenConnect\\App_Extensions\\*.aspx'
	legitimate_path:
	ObjectName\|contains: 'ScreenConnect\App_Extensions\\*\\'
	condition: selection and not legitimate_path
	falsepositives:
	- Unknown
	level: critical