Techniques
Sample rules
ConnectWise ScreenConnect Path Traversal Windows SACL
- source: splunk
- technicques:
- T1190
Description
This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability utilizing Windows SACL EventCode 4663, which allows an attacker to perform path traversal attacks by manipulating the file_path and file_name parameters in the URL. The vulnerability, identified as critical with a CVSS score of 9.8, enables unauthorized users to access sensitive files and directories on the host system, potentially leading to the exfiltration of sensitive data or the execution of arbitrary code. The search query provided looks for file system events that could indicate exploitation attempts. This detection is crucial for identifying and responding to active exploitation of this vulnerability in environments running affected versions of ScreenConnect (23.9.7 and prior). It is recommended to update to version 23.9.8 or above immediately to remediate the issue, as detailed in the ConnectWise security advisory and further analyzed by Huntress researchers.
Detection logic
`wineventlog_security` EventCode=4663 ProcessName=*\\ScreenConnect.Service.exe file_path IN ("*\\ScreenConnect\\App_Extensions\\*") file_name IN ("*.aspx","*.ashx")
| stats count min(_time) as firstTime max(_time) as lastTime by ObjectName ObjectType ProcessName AccessMask process_id EventCode Computer Caller_User_Name
| rename Computer as dest Caller_User_Name as user ProcessName as process_name
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `connectwise_screenconnect_path_traversal_windows_sacl_filter`