JohnHammond/SetupWizard_IIS_log.yara Secret

## SetupWizard_IIS_log.yara
rule ScreenConnect_CVE_2024_1709_Exploitation {
   meta:
      description = "Detects a GET request to '/SetupWizard.aspx/' with anything following it, which is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect 23.9.8 vulnerability (CWE-288), when found in IIS logs"
      author = "Huntress DE&TH Team"
      reference = "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass"
      date = "2024-02-20"
      id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
   strings:
      $s1 = "/SetupWizard.aspx/" ascii

   condition:
      $s1
}
	rule ScreenConnect_CVE_2024_1709_Exploitation {
	meta:
	description = "Detects a GET request to '/SetupWizard.aspx/' with anything following it, which is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect 23.9.8 vulnerability (CWE-288), when found in IIS logs"
	author = "Huntress DE&TH Team"
	reference = "https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass"
	date = "2024-02-20"
	id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
	strings:
	$s1 = "/SetupWizard.aspx/" ascii

	condition:
	$s1
	}