Date: 01/31/2025
Severity: High
Summary
This detection identifies file modifications to ASPX and ASHX files in the root of the App_Extensions directory, which can be exploited through the ZipSlip vulnerability in versions before 23.9.8. This occurs during the exploitation of CVE-2024-1708. To capture this, an Advanced Auditing policy must be enabled to log successful Windows Event ID 4663 events, along with a System Access Control List (SACL) configured on the directory.
Indicators of Compromise (IOC) List
EventID | 4663 |
ObjectType | 'File' |
ProcessName | 'ScreenConnect.Service.exe' |
AccessMask | '0x6' |
ObjectName | 'ScreenConnect\\App_Extensions\\*.ashx' 'ScreenConnect\\App_Extensions\\*.aspx' 'ScreenConnect\App_Extensions\\*\\' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename in ("Windows Security") AND eventtype = "4663" AND objecttype like "file" AND processname like "ScreenConnect.Service.exe" AND accessmask like "0x6" AND (objectname like "ScreenConnect\\App_Extensions\\*.ashx" OR objectname like "ScreenConnect\\App_Extensions\\*.aspx") AND objectname not like "ScreenConnect\App_Extensions\\*\\") |
Detection Query 2 | (technologygroup = "EDR" AND objecttype like "file" AND processname like "ScreenConnect.Service.exe" AND accessmask like "0x6" AND (objectname like "ScreenConnect\\App_Extensions\\*.ashx" OR objectname like "ScreenConnect\\App_Extensions\\*.aspx") AND objectname not like "ScreenConnect\App_Extensions\\*\\") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-1708/win_security_exploit_cve_2024_1708_screenconnect.yml