Detection rules › Sigma

ScreenConnect - SlashAndGrab Exploitation Indicators

Status
test
Severity
high
Author
Nasreddine Bencherchali (Nextron Systems)
Source
github.com/SigmaHQ/sigma

Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress

Event coverage

ProviderEventTitle
SysmonEvent ID 11FileCreate

Rule body yaml

title: ScreenConnect - SlashAndGrab Exploitation Indicators
id: 05164d17-8e11-4d7d-973e-9e4962436b87
status: test
description: |
    Detects indicators of exploitation by threat actors during exploitation of the "SlashAndGrab" vulnerability related to ScreenConnect as reported Team Huntress
references:
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
author: Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-23
tags:
    - detection.emerging-threats
    - attack.stealth
logsource:
    product: windows
    category: file_event
detection:
    selection:
        - TargetFilename|contains|all:
              - 'C:\Windows\Temp\ScreenConnect\'
              - '\LB3.exe'
        - TargetFilename|contains:
              - 'C:\mpyutd.msi'
              - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
              - 'C:\ProgramData\1.msi'
              - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
              - 'C:\ProgramData\update.dat'
              - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
              - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
              - 'C:\Windows\Help\Help\SentinelUI.exe'
              - 'C:\Windows\spsrv.exe'
              - 'C:\Windows\Temp\svchost.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Stages and Predicates

Stage 0: condition

selection

Stage 1: selection

selection:
    - TargetFilename|contains|all:
          - 'C:\Windows\Temp\ScreenConnect\'
          - '\LB3.exe'
    - TargetFilename|contains:
          - 'C:\mpyutd.msi'
          - 'C:\perflogs\RunSchedulerTaskOnce.ps1'
          - 'C:\ProgramData\1.msi'
          - 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi'
          - 'C:\ProgramData\update.dat'
          - 'C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe'
          - 'C:\Windows\Help\Help\SentinelAgentCore.dll'
          - 'C:\Windows\Help\Help\SentinelUI.exe'
          - 'C:\Windows\spsrv.exe'
          - 'C:\Windows\Temp\svchost.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
TargetFilenamematch
  • C:\ProgramData\1.msi
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\mpyutd.msi
  • C:\ProgramData\update.dat
  • C:\Users\oldadmin\Documents\MilsoftConnect\Files\ta.exe
  • C:\Windows\Help\Help\SentinelAgentCore.dll
  • C:\Windows\Help\Help\SentinelUI.exe
  • C:\Windows\Temp\ScreenConnect\
  • C:\Windows\Temp\svchost.exe
  • C:\Windows\spsrv.exe
  • C:\mpyutd.msi
  • C:\perflogs\RunSchedulerTaskOnce.ps1
  • \LB3.exe