Date: 01/09/2025
Severity: Medium
Summary
The "ScreenConnect User Database Modification - Security" detects changes to the temporary XML user database file, which may indicate local user modifications in the ScreenConnect server. This can occur during exploitation of the ScreenConnect Authentication Bypass vulnerability (CVE-2024-1709) in versions earlier than 23.9.8, but may also be seen during legitimate user or permission modifications. To detect such changes, an Advanced Auditing policy is needed to log successful Windows Event ID 4663 events, along with a SACL set on the directory.
Indicators of Compromise (IOC) List
EventID | 4663 |
ObjectType | 'File' |
AccessMask | '0x6' |
ObjectName | '.xml'
'Temp' 'ScreenConnect' |
ProcessName | 'ScreenConnect.Service.exe' |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | (resourcename in ("Windows Security") AND eventtype = "4663" AND objecttype = "File" AND accessmask = "0x6" AND objectname like "/.xml" AND objectname like "Temp" AND objectname like "ScreenConnect" AND processname like "ScreenConnect.Service.exe") |
Detection Query 2 | (technologygroup = "EDR" AND objecttype = "File" AND accessmask = "0x6" AND objectname like "/.xml" AND objectname like "Temp" AND objectname like "ScreenConnect" AND processname like "ScreenConnect.Service.exe") |
Reference:
https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-1709/win_security_exploit_cve_2024_1709_user_database_modification_screenconnect.yml