https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-detect-the-screenconnect-client-in-response-to-cve-2024/m-p/579232#M6241 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/194856">@LtwcTeam10</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for sharing the XQL query with community. We appreciate you contribution.</P> <P>To learn more about Palo Alto's threat brief on it and how Palo Alto products protect against it please refer below article.</P> <P><A href="https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/" target="_blank">https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Mar 2024 03:22:31 GMT nsinghvirk 2024-03-05T03:22:31Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-detect-the-screenconnect-client-in-response-to-cve-2024/m-p/578389#M6148 <P>On&nbsp;February 19th ConnectWise released a security bulletin and update for their ScreenConnect software.&nbsp;&nbsp;<A href="https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8" target="_blank">https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8</A><BR />On February 20th&nbsp;ConnectWise announced that exploitation had been seen in the wild.&nbsp; At least one proof of concept was available at 6:27 AM UTC Feb 21&nbsp;<A href="https://twitter.com/watchtowrcyber/status/1760189490067390581" target="_blank">https://twitter.com/watchtowrcyber/status/1760189490067390581</A>&nbsp;<BR /><BR />The exploit complexity was incredibly low.&nbsp; A demo can be found here&nbsp;<SPAN><SPAN class="ui-provider a b c d e f g h i j k l m n o p q r s t u v w x y z ab ac ae af ag ah ai aj ak"><A class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://www.youtube.com/watch?v=ud5fp-whocs" href="https://www.youtube.com/watch?v=ud5FP-wHOcs" target="_blank" rel="noreferrer noopener" aria-label="Link https://www.youtube.com/watch?v=ud5FP-wHOcs">https://www.youtube.com/watch?v=ud5FP-wHOcs</A></SPAN></SPAN><BR /><BR />The following XQL will show hosts that have the Windows ScreenConnect client on them.&nbsp;&nbsp;<BR /></P> <LI-CODE lang="markup">config case_sensitive = true | preset = xdr_image_load | filter actor_process_image_name = "ScreenConnect.WindowsClient.exe" | dedup agent_hostname </LI-CODE> <P>&nbsp;</P> Mon, 26 Feb 2024 20:35:18 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-detect-the-screenconnect-client-in-response-to-cve-2024/m-p/578389#M6148 LtwcTeam10 2024-02-26T20:35:18Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-detect-the-screenconnect-client-in-response-to-cve-2024/m-p/579232#M6241 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/194856">@LtwcTeam10</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for sharing the XQL query with community. We appreciate you contribution.</P> <P>To learn more about Palo Alto's threat brief on it and how Palo Alto products protect against it please refer below article.</P> <P><A href="https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/" target="_blank">https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Mar 2024 03:22:31 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-to-detect-the-screenconnect-client-in-response-to-cve-2024/m-p/579232#M6241 nsinghvirk 2024-03-05T03:22:31Z