02-26-2024 12:35 PM
On February 19th ConnectWise released a security bulletin and update for their ScreenConnect software. https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
On February 20th ConnectWise announced that exploitation had been seen in the wild. At least one proof of concept was available at 6:27 AM UTC Feb 21 https://twitter.com/watchtowrcyber/status/1760189490067390581
The exploit complexity was incredibly low. A demo can be found here https://www.youtube.com/watch?v=ud5FP-wHOcs
The following XQL will show hosts that have the Windows ScreenConnect client on them.
config case_sensitive = true | preset = xdr_image_load | filter actor_process_image_name = "ScreenConnect.WindowsClient.exe" | dedup agent_hostname
03-04-2024 07:22 PM
Hello @LtwcTeam10
Thanks for sharing the XQL query with community. We appreciate you contribution.
To learn more about Palo Alto's threat brief on it and how Palo Alto products protect against it please refer below article.
https://unit42.paloaltonetworks.com/connectwise-threat-brief-cve-2024-1708-cve-2024-1709/
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
