ConnectWise ScreenConnect Path Traversal

Try in Splunk Security Cloud

Description

The following analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, which allows path traversal attacks by manipulating file_path and file_name parameters in the URL. It leverages the Endpoint datamodel Filesystem node to identify suspicious file system events, specifically targeting paths and filenames associated with ScreenConnect. This activity is significant as it can lead to unauthorized access to sensitive files and directories, potentially resulting in data exfiltration or arbitrary code execution. If confirmed malicious, attackers could gain unauthorized access and control over the host system, posing a severe security risk.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2024-05-13
• Author: Michael Haag, Splunk
• ID: 56a3ac65-e747-41f7-b014-dff7423c1dda

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1190	Exploit Public-Facing Application	Initial Access

Kill Chain Phase

• Delivery

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Filesystem where Filesystem.file_path IN ("*\\ScreenConnect\\App_Extensions\\*") Filesystem.file_name IN ("*.aspx","*.ashx") by Filesystem.file_create_time Filesystem.process_id Filesystem.process_guid Filesystem.file_name Filesystem.file_path Filesystem.dest 
| `drop_dm_object_name(Filesystem)` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `connectwise_screenconnect_path_traversal_filter`

Macros

The SPL above uses the following Macros:

• security_content_ctime
• security_content_summariesonly

connectwise_screenconnect_path_traversal_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• Filesystem.file_create_time
• Filesystem.process_id
• Filesystem.process_guid
• Filesystem.file_name
• Filesystem.file_path
• Filesystem.dest

How To Implement

This analytic utilizes the Endpoint datamodel Filesystem node to identify path traversal attempts against ScreenConnect. Note that using SACL auditing or other file system monitoring tools may also be used to detect path traversal attempts. Typically the data for this analytic will come from EDR or other properly CIM mapped data sources.

Known False Positives

False positives are not expected, as the detection is based on the presence of file system events that indicate path traversal attempts. The analytic may be modified to look for any file writes to this path as it is not common for files to write here.

Associated Analytic Story

• ConnectWise ScreenConnect Vulnerabilities

RBA

Risk Score	Impact	Confidence	Message
100.0	100	100	A path traversal attack against ScreenConnect has been detected on $dest$.

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the-screenconnect-authentication-bypass
• https://www.huntress.com/blog/detection-guidance-for-connectwise-cwe-288-2
• https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2