Screenconnect

Date: 2024-02-21 ID: b0d3cc46-f74d-462b-b5db-71eba68d6912 Author: Michael Haag, Splunk Environment: attack_range Directory: screenconnect

Description

Manual generation of attack data related to ConnectWise Screenconnect CVE-2024-1708 CVE-2024-1709.

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

The following datasets were collected during this attack simulation:

Path: /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log
Sourcetype: XmlWinEventLog
Source: XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

Path: /datasets/attack_techniques/T1190/screenconnect/nginx_screenconnect.log
Sourcetype: nginx:plus:access
Source: nginx

Path: /datasets/attack_techniques/T1190/screenconnect/connectwise_auth_suricata.log
Sourcetype: linux_secure
Source: linux_secure

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
ConnectWise ScreenConnect Path Traversal Windows SACL	`TTP`	Endpoint	T1190	ConnectWise ScreenConnect Vulnerabilities, Compromised Windows Host, Seashell Blizzard
ConnectWise ScreenConnect Path Traversal	`TTP`	Endpoint	T1190	ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard
Nginx ConnectWise ScreenConnect Authentication Bypass	`TTP`	Web	T1190	ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard, Scattered Lapsus$ Hunters, Hellcat Ransomware
ConnectWise ScreenConnect Authentication Bypass	`TTP`	Web	T1190	ConnectWise ScreenConnect Vulnerabilities, Seashell Blizzard

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1190/screenconnect/sysmon_app_extensions.log --index attack_data

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0