Yara Rule - 2024 년에 생성 된 의심스러운 새 ScreenConnect 사용자를 감지하는데, 이는 Connectwise ScreenConnect (23.9.8 이전 버전) 취약점의 악용 징후 일 수 있습니다.
Yara 정의.
Yara Rule - Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
Yara definition.
Author: Florian Roth
https://twitter.com/_johnhammond/status/1760357971127832637
$s1 = " GET /SetupWizard.aspx/" ascii
$s2 = " POST /SetupWizard.aspx/" ascii
$s3 = " PUT /SetupWizard.aspx/" ascii
$s4 = " HEAD /SetupWizard.aspx/" ascii
date = "2024-02-20"
score = 65
$a1 = "<Users xmlns:xsi="
$s1 = "@gmail.com</Email>"
$s2 = "<CreationDate>2024-"
date = "2024-02-20"
score = 50
$a1 = "<Users xmlns:xsi="
$s1 = "<CreationDate>2024-"```
[https://github.com/Neo23x0/signature-base/commit/58594110422a572b37faf18ccb850a03edff8518](https://github.com/Neo23x0/signature-base/commit/58594110422a572b37faf18ccb850a03edff8518)