Date: 08/05/2024
Severity: High
Summary
Identifies signs of exploitation by threat actors targeting the "SlashAndGrab" vulnerability in ScreenConnect, as reported by Team Huntress.
Indicators of Compromise (IOC) List
TargetFilename | C:\Windows\Temp\ScreenConnect\ \LB3.exe C:\mpyutd.msi C:\perflogs\RunSchedulerTaskOnce.ps1 C:\ProgramData\1.msi C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi C:\ProgramData\update.dat C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe C:\Windows\Help\Help\SentinelAgentCore.dll C:\Windows\Help\Help\SentinelUI.exe C:\Windows\spsrv.exe C:\Windows\Temp\svchost.exe |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | ((resourcename = "Windows Security" AND eventtype = "4688" ) AND newprocessname in ("C:\\Windows\\Temp\\ScreenConnect","\\LB3.exe","C:\\mpyutd.msi","C:\\perflogs\\RunSchedulerTaskOnce.ps1","C:\\ProgramData\\1.msi","C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi","C:\\ProgramData\\update.dat","C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe","C:\\Windows\\Help\\Help\\SentinelAgentCore.dll","C:\\Windows\\Help\\Help\\SentinelUI.exe","C:\\Windows\\spsrv.exe","C:\\Windows\\Temp\\svchost.exe")) |
Detection Query 2 | ((technologygroup = "EDR" ) AND newprocessname in ("C:\\Windows\\Temp\\ScreenConnect","\\LB3.exe","C:\\mpyutd.msi","C:\\perflogs\\RunSchedulerTaskOnce.ps1","C:\\ProgramData\\1.msi","C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\mpyutd.msi","C:\\ProgramData\\update.dat","C:\\Users\\oldadmin\\Documents\\MilsoftConnect\\Files\\ta.exe","C:\\Windows\\Help\\Help\\SentinelAgentCore.dll","C:\\Windows\\Help\\Help\\SentinelUI.exe","C:\\Windows\\spsrv.exe","C:\\Windows\\Temp\\svchost.exe")) |
Category: Sigma
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/TA/SlashAndGrab-Exploitation-In-Wild/file_event_win_apt_unknown_exploitation_indicators.yml