Yara Rule - 2024 년에 생성 된 의심스러운 ScreenConnect 사용자를 감지하지만 로그인 없이는 Connectwise ScreenConnect (23.9.8 이전 버전) 취약점의 악용 징후가 될 수 있습니다.
Yara 정의.
Yara Rule - Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
Yara definition.
Author: Florian Roth
https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53
date = "2024-02-23"
score = 65
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$s2 = "<LastLoginDate>0001"
date = "2024-02-23"
score = 75
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "@poc.com</Email>"
$f1 = "<LastLoginDate>0001"
date = "2024-02-22"
score = 65
$a1 = "<Users xmlns:xsi="
date = "2024-02-22"
score = 50
$a1 = "<Users xmlns:xsi="
date = "2024-02-23"
score = 60
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "<CreationDate>2024-"
$s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"```
[https://github.com/Neo23x0/signature-base/commit/5318edbce85131c4eff9a0f79c242f68b961cc60](https://github.com/Neo23x0/signature-base/commit/5318edbce85131c4eff9a0f79c242f68b961cc60)