import "pe" rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs { meta: description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" author = "Huntress DE&TH Team (modified by Florian Roth)" reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8" date = "2024-02-20" modified = "2024-02-21" id = "2886530b-e164-4c4b-b01e-950e3c40acb4" strings: $s1 = " GET /SetupWizard.aspx/" ascii $s2 = " POST /SetupWizard.aspx/" ascii $s3 = " PUT /SetupWizard.aspx/" ascii $s4 = " HEAD /SetupWizard.aspx/" ascii condition: 1 of them } rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 { meta: description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login" author = "Florian Roth" reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" date = "2024-02-23" score = 65 id = "c57e6c6a-298f-5ff3-b76a-03127ff88699" strings: $a1 = "" $s1 = "@poc.com" $s2 = "0001" condition: filesize < 200KB and all of ($a*) and all of ($s*) } rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 { meta: description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login" author = "Florian Roth" reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" date = "2024-02-23" score = 75 id = "91990558-f145-5968-9722-b6815f6ad8d5" strings: $a1 = "" $s1 = "@poc.com" $f1 = "0001" condition: filesize < 200KB and all of ($a*) and $s1 and not 1 of ($f*) } rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT { meta: description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 id = "079f4153-8bc7-574f-b6fa-af5536b842ab" strings: $x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}" $x02 = ".msi c:\\mpyutd.msi" $x03 = "/MyUserName_$env:UserName" $x04 = " -OutFile C:\\Windows\\Help\\" $x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_" $x06 = "$e = $r + \"ssh.exe\"" $x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id" $x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no " $x09 = "chromeremotedesktophost.msi', $env:ProgramData+" $x10 = "9595; iwr -UseBasicParsing " $x11 = "curl https://cmctt.]com/pub/media/wysiwyg/" $x12 = ":8080/servicetest2.dll" $x13 = "/msappdata.msi c:\\mpyutd.msi" $x14 = "/svchost.exe -OutFile " $x15 = "curl http://minish.wiki.gd" $x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile " $x17 = "rundll32.exe' -Headers @" $x18 = "/nssm.exe' -Headers @" $x19 = "c:\\programdata\\update.dat UpdateSystem" $x20 = "::size -eq 4){\\\"TVqQAA" ascii wide $x21 = "::size -eq 4){\"TVqQAA" ascii wide $x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_" /* Persistence */ $xp0 = "/add default test@2021! /domain" $xp1 = "/add default1 test@2021! /domain" $xp2 = "oldadmin Pass8080!!" $xp3 = "temp 123123qwE /add " $xp4 = "oldadmin \"Pass8080!!\"" $xp5 = "nssm set xmrig AppDirectory " condition: 1 of ($x*) } rule SUSP_Command_Line_Combos_Feb24_2 : SCRIPT { meta: description = "Detects suspicious command line combinations often found in post exploitation activities" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 id = "d9bc6083-c3ca-5639-a9df-483fea6d0187" strings: $sa1 = " | iex" $sa2 = "iwr -UseBasicParsing " condition: filesize < 2MB and all of them } rule SUSP_PS1_Combo_TransferSH_Feb24 : SCRIPT { meta: description = "Detects suspicious PowerShell command that downloads content from transfer.sh as often found in loaders" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 70 id = "fd14cca5-9cf8-540b-9d6e-39ca2c267272" strings: $x1 = ".DownloadString('https://transfer.sh" $x2 = ".DownloadString(\"https://transfer.sh" $x3 = "Invoke-WebRequest -Uri 'https://transfer.sh" $x4 = "Invoke-WebRequest -Uri \"https://transfer.sh" condition: 1 of them } rule MAL_SUSP_RANSOM_LockBit_RansomNote_Feb24 { meta: description = "Detects the LockBit ransom note file 'LockBit-DECRYPT.txt' which is a sign of a LockBit ransomware infection" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 id = "b2fcb2a7-49e8-520c-944f-6acd5ded579b" strings: $x1 = ">>>> Your personal DECRYPTION ID:" condition: 1 of them } rule MAL_SUSP_RANSOM_Lazy_RansomNote_Feb24 { meta: description = "Detects the Lazy ransom note file 'HowToRestoreYourFiles.txt' which is a sign of a Lazy ransomware infection" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 id = "287dfd67-8d0d-5906-b593-3af42a5a3aa4" strings: $x1 = "All Encrypted files can be reversed to original form and become usable" condition: 1 of them } rule SUSP_MAL_SigningCert_Feb24_1 { meta: description = "Detects PE files signed with a certificate used to sign malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 hash1 = "37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab991aad5dd6a9c231b" hash2 = "e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2da729867935c793" id = "f25ea77a-1b4e-5c13-9117-eedf0c20335a" strings: $s1 = "Wisdom Promise Security Technology Co." ascii $s2 = "Globalsign TSA for CodeSign1" ascii $s3 = { 5D AC 0B 6C 02 5A 4B 21 89 4B A3 C2 } condition: uint16(0) == 0x5a4d and filesize < 70000KB and all of them } rule MAL_CS_Loader_Feb24_1 { meta: description = "Detects Cobalt Strike malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 hash1 = "0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6a7ebe65bf3fdd6fe" id = "6c9914a4-b079-5a39-9d3b-7b9a2b54dc2b" strings: $s1 = "Dll_x86.dll" ascii fullword condition: uint16(0) == 0x5a4d and filesize < 1000KB and ( pe.exports("UpdateSystem") and ( pe.imphash() == "0dc05c4c21a86d29f1c3bf9cc5b712e0" or $s1 ) ) } rule MAL_RANSOM_LockBit_Indicators_Feb24 { meta: description = "Detects Lockbit ransomware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 hash1 = "a50d9954c0a50e5804065a8165b18571048160200249766bfa2f75d03c8cb6d0" id = "108430c8-4fe5-58a1-b709-539b257c120c" strings: $op1 = { 76 c1 95 8b 18 00 93 56 bf 2b 88 71 4c 34 af b1 a5 e9 77 46 c3 13 } $op2 = { e0 02 10 f7 ac 75 0e 18 1b c2 c1 98 ac 46 } $op3 = { 8b c6 ab 53 ff 15 e4 57 42 00 ff 45 fc eb 92 ff 75 f8 ff 15 f4 57 42 00 } condition: uint16(0) == 0x5a4d and filesize < 500KB and ( pe.imphash() == "914685b69f2ac2ff61b6b0f1883a054d" or 2 of them ) or all of them } rule MAL_MSI_Mpyutils_Feb24_1 { meta: description = "Detects malicious MSI package mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709" author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 70 hash1 = "8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc889a5e3fba4d7e600" id = "e7794336-a325-5b92-8c25-81ed9cb28044" strings: $s1 = "crypt64ult.exe" ascii fullword $s2 = "EXPAND.EXE" wide fullword $s6 = "ICACLS.EXE" wide fullword condition: uint16(0) == 0xcfd0 and filesize < 20000KB and all of them } rule MAL_Beacon_Unknown_Feb24_1 { meta: description = "Detects malware samples mentioned in a HuntressLabs report on the exploitation of ScreenConnect vulnerability CVE-2024-1708 and CVE-2024-1709 " author = "Florian Roth" reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708" date = "2024-02-23" score = 75 hash1 = "6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e70f6307aae21f9090" hash2 = "b0adf3d58fa354dbaac6a2047b6e30bc07a5460f71db5f5975ba7b96de986243" hash3 = "c0f7970bed203a5f8b2eca8929b4e80ba5c3276206da38c4e0a4445f648f3cec" id = "9299fd44-5327-5a73-8299-108b710cb16e" strings: $s1 = "Driver.dll" wide fullword $s2 = "X l.dlT" ascii fullword $s3 = "$928c7481-dd27-8e23-f829-4819aefc728c" ascii fullword condition: uint16(0) == 0x5a4d and filesize < 2000KB and 3 of ($s*) } /* --------------------------------------------------------------------------------- */ /* only usable with THOR or THOR Lite, e.g. in THOR Cloud */ rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 { meta: description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" author = "Florian Roth" reference = "https://twitter.com/_johnhammond/status/1760357971127832637" date = "2024-02-22" score = 65 id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e" strings: $a1 = "" $s2 = "2024-" condition: filesize < 200KB and all of them and filepath contains "\\ScreenConnect\\App_Data\\" } rule SUSP_ScreenConnect_New_User_2024_Feb24 { meta: description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" author = "Florian Roth" reference = "https://twitter.com/_johnhammond/status/1760357971127832637" date = "2024-02-22" score = 50 id = "f6675ded-39a4-590a-a201-fcfe3c056e60" strings: $a1 = "2024-" condition: filesize < 200KB and all of them and filepath contains "\\ScreenConnect\\App_Data\\" } rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 { meta: description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass" author = "Florian Roth" reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53" date = "2024-02-23" score = 60 id = "c0861f1c-08e2-565d-a468-2075c51b4004" strings: $a1 = "" $s1 = "2024-" $s2 = "0001-01-01T00:00:00" condition: filesize < 200KB and all of them and filepath contains "\\ScreenConnect\\App_Data\\" }