false positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. the analytic may be modified to look for any file writes to this path as it is not common for files to write here.

T1190

Sample rules

ConnectWise ScreenConnect Path Traversal

source: splunk
technicques:
- T1190

Description

This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.

Detection logic


| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `connectwise_screenconnect_path_traversal_filter`

Nginx ConnectWise ScreenConnect Authentication Bypass

source: splunk
technicques:
- T1190

Description

This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1709 vulnerability, which allows an attacker to bypass authentication using an alternate path or channel. The vulnerability, identified as critical with a CVSS score of 10, enables unauthorized users to access the SetupWizard.aspx page on already-configured ScreenConnect instances, potentially leading to the creation of administrative users and remote code execution. The search query provided looks for web requests to the SetupWizard.aspx page that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.

Detection logic

`nginx_access_logs` uri_path IN ("*/SetupWizard.aspx/*","*/SetupWizard/") status=200 http_method=POST  
| stats count min(_time) as firstTime max(_time) as lastTime by src, dest, http_user_agent, url, uri_path, status, http_method, sourcetype, source 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `nginx_connectwise_screenconnect_authentication_bypass_filter`

ConnectWise ScreenConnect Authentication Bypass

source: splunk
technicques:
- T1190

Description

Detection logic


| tstats count min(_time) as firstTime max(_time) as lastTime from datamodel=Web where Web.url IN ("*/SetupWizard.aspx/*","*/SetupWizard/") Web.status=200 Web.http_method=POST by Web.src, Web.dest, Web.http_user_agent, Web.url, Web.status, Web.http_method, sourcetype, source 
| rex field=Web.url "/SetupWizard.aspx/(?<randomPath>.+)" 
| `drop_dm_object_name("Web")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `connectwise_screenconnect_authentication_bypass_filter`