Home/ConnectWise/YARA rules
YARA

YARA rules for ConnectWise

7 rules · scoped to tool · back to ConnectWise
YARA rules whose family, name, or description matches this tool or its tooling. Use these for binary-pattern hunts.

YARA rules

7 of 7
direct ConnectWise
ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs
Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
author Huntress DE&TH Team (modified by Florian Roth) license see source repo
view YARA rule 
rule ConnectWise_ScreenConnect_Authentication_Bypass_Feb_2024_Exploitation_IIS_Logs {
   meta:
      description = "Detects an http request to '/SetupWizard.aspx/' with anything following it, which when found in IIS logs is a potential indicator of compromise of the 2024 ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
      author = "Huntress DE&TH Team (modified by Florian Roth)"
      reference = "https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8"
      date = "2024-02-20"
      modified = "2024-02-21"
      id = "2886530b-e164-4c4b-b01e-950e3c40acb4"
   strings:
      $s1 = " GET /SetupWizard.aspx/" ascii
      $s2 = " POST /SetupWizard.aspx/" ascii
      $s3 = " PUT /SetupWizard.aspx/" ascii
      $s4 = " HEAD /SetupWizard.aspx/" ascii
   condition:
      1 of them
}
direct ScreenConnect
SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24
Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_User_PoC_Com_Unused_Feb24 {
   meta:
      description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account wasn't actually used yet to login"
      author = "Florian Roth"
      reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
      date = "2024-02-23"
      score = 65
      id = "c57e6c6a-298f-5ff3-b76a-03127ff88699"
   strings:
      $a1 = "<Users xmlns:xsi="
      $a2 = "<CreationDate>"

      $s1 = "@poc.com</Email>"
      $s2 = "<LastLoginDate>0001"
   condition:
      filesize < 200KB
      and all of ($a*)
      and all of ($s*)
}
direct ScreenConnect
SUSP_ScreenConnect_User_PoC_Com_Used_Feb24
Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_User_PoC_Com_Used_Feb24 {
   meta:
      description = "Detects suspicious ScreenConnect user with poc.com email address, which is a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability with the POC released by WatchTower and the account was already used yet to login"
      author = "Florian Roth"
      reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
      date = "2024-02-23"
      score = 75
      id = "91990558-f145-5968-9722-b6815f6ad8d5"
   strings:
      $a1 = "<Users xmlns:xsi="
      $a2 = "<CreationDate>"

      $s1 = "@poc.com</Email>"

      $f1 = "<LastLoginDate>0001"
   condition:
      filesize < 200KB
      and all of ($a*)
      and $s1
      and not 1 of ($f*)
}
direct ScreenConnect
SUSP_ScreenConnect_Exploitation_Artefacts_Feb24
Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_Exploitation_Artefacts_Feb24 : SCRIPT {
   meta:
      description = "Detects post exploitation indicators observed by HuntressLabs in relation to the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
      author = "Florian Roth"
      reference = "https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
      date = "2024-02-23"
      score = 75
      id = "079f4153-8bc7-574f-b6fa-af5536b842ab"
   strings:
      $x01 = "-c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath $disk.deviceid}"
      $x02 = ".msi c:\\mpyutd.msi"
      $x03 = "/MyUserName_$env:UserName"
      $x04 = " -OutFile C:\\Windows\\Help\\"
      $x05 = "/Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_"
      $x06 = "$e = $r + \"ssh.exe\""
      $x07 = "Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id"
      $x08 = "-R 9595:localhost:3389 -p 443 -N -oStrictHostKeyChecking=no "
      $x09 = "chromeremotedesktophost.msi', $env:ProgramData+"
      $x10 = "9595; iwr -UseBasicParsing "
      $x11 = "curl  https://cmctt.]com/pub/media/wysiwyg/"
      $x12 = ":8080/servicetest2.dll"
      $x13 = "/msappdata.msi c:\\mpyutd.msi"
      $x14 = "/svchost.exe -OutFile "
      $x15 = "curl http://minish.wiki.gd"
      $x16 = " -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile "
      $x17 = "rundll32.exe' -Headers @"
      $x18 = "/nssm.exe' -Headers @"
      $x19 = "c:\\programdata\\update.dat UpdateSystem"
      $x20 = "::size -eq 4){\\\"TVqQAA" ascii wide
      $x21 = "::size -eq 4){\"TVqQAA" ascii wide
      $x22 = "-nop -c [System.Reflection.Assembly]::Load(([WmiClass]'root\\cimv2:System_"

      /* Persistence */
      $xp0 = "/add default test@2021! /domain"
      $xp1 = "/add default1 test@2021! /domain"
      $xp2 = "oldadmin Pass8080!!"
      $xp3 = "temp 123123qwE /add "
      $xp4 = "oldadmin \"Pass8080!!\""
      $xp5 = "nssm set xmrig AppDirectory "
   condition:
      1 of ($x*)
}
direct ScreenConnect
SUSP_ScreenConnect_User_Gmail_2024_Feb24
Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_User_Gmail_2024_Feb24 {
   meta:
      description = "Detects suspicious ScreenConnect user with Gmail address created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
      author = "Florian Roth"
      reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
      date = "2024-02-22"
      score = 65
      id = "3c86f4ee-4e8c-566b-b54e-e94418e4ec7e"
   strings:
      $a1 = "<Users xmlns:xsi="

      $s1 = "@gmail.com</Email>"
      $s2 = "<CreationDate>2024-"
   condition:
      filesize < 200KB
      and all of them
      and filepath contains "\\ScreenConnect\\App_Data\\"
}
direct ScreenConnect
SUSP_ScreenConnect_New_User_2024_Feb24
Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_New_User_2024_Feb24 {
   meta:
      description = "Detects suspicious new ScreenConnect user created in 2024, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
      author = "Florian Roth"
      reference = "https://twitter.com/_johnhammond/status/1760357971127832637"
      date = "2024-02-22"
      score = 50
      id = "f6675ded-39a4-590a-a201-fcfe3c056e60"
   strings:
      $a1 = "<Users xmlns:xsi="

      $s1 = "<CreationDate>2024-"
   condition:
      filesize < 200KB
      and all of them
      and filepath contains "\\ScreenConnect\\App_Data\\"
}
direct ScreenConnect
SUSP_ScreenConnect_User_2024_No_Logon_Feb24
Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass
author Florian Roth license see source repo
view YARA rule 
rule SUSP_ScreenConnect_User_2024_No_Logon_Feb24 {
   meta:
      description = "Detects suspicious ScreenConnect user created in 2024 but without any login, which could be a sign of exploitation of the ConnectWise ScreenConnect (versions prior to 23.9.8) vulnerability that allows an Authentication Bypass"
      author = "Florian Roth"
      reference = "https://github.com/watchtowrlabs/connectwise-screenconnect_auth-bypass-add-user-poc/blob/45e5b2f699a4d8f2d59ec3fc79a2e3c99db71882/watchtowr-vs-ConnectWise_2024-02-21.py#L53"
      date = "2024-02-23"
      score = 60
      id = "c0861f1c-08e2-565d-a468-2075c51b4004"
   strings:
      $a1 = "<Users xmlns:xsi="
      $a2 = "<CreationDate>"

      $s1 = "<CreationDate>2024-"
      $s2 = "<LastLoginDate>0001-01-01T00:00:00</LastLoginDate>"
   condition:
      filesize < 200KB
      and all of them
      and filepath contains "\\ScreenConnect\\App_Data\\"
}
Showing 1-7 of 7
Prev 1 Next
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin