Yara Rule - 2024 년에 생성 된 의심스러운 ScreenConnect 사용자를 감지하지만 로그인 없이는 Connectwise ScreenConnect (23.9.8 이전 버전) 취약점의 악용 징후가 될 수 있습니다

allmnet · 2월 27, 2024, 10:21오전

Yara Rule - 2024 년에 생성 된 의심스러운 ScreenConnect 사용자를 감지하지만 로그인 없이는 Connectwise ScreenConnect (23.9.8 이전 버전) 취약점의 악용 징후가 될 수 있습니다.

Yara 정의.

Yara Rule - Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass

Yara definition.

Author: Florian Roth

https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53

date = "2024-02-22"
score = 65
$a1 = "<Users xmlns:xsi="
$s1 = "@gmail.com</Email>"
$s2 = "<CreationDate>2024-"
date = "2024-02-22"
score = 50
$a1 = "<Users xmlns:xsi="
$s1 = "<CreationDate>2024-"
date = "2024-02-23"
score = 60
$a1 = "<Users xmlns:xsi="
$a2 = "<CreationDate>"
$s1 = "<CreationDate>2024-"
$s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"```


[https://github.com/Neo23x0/signature-base/commit/8e14358f45d9d231d80ff751f1fadc4d19e5bed4](https://github.com/Neo23x0/signature-base/commit/8e14358f45d9d231d80ff751f1fadc4d19e5bed4)