Et rule 2050991 - Magic-SigExplorer

""ET WEB_SPECIFIC_APPS ConnectWise ScreenConnect - Attempted User Creation via SetupWizard with Auth Bypass CWE-288 (CVE-2024-1709)""

SID: 2050991

Revision: 1

Class Type: attempted-admin

Metadata: attack_target Web_Server, tls_state TLSDecrypt, created_at 2024_02_21, cve CVE_2024_1709, deployment Perimeter, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_02_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application

Reference:

cve
2024-1709

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: [$HOME_NET,$HTTP_SERVERS]

Destination Port: [$HTTP_PORTS,8040]

Flow: established,to_server

Contents:

Value: "POST /SetupWizard.aspx/" Depth: 23
Value: "userNameBox|3d|"
Value: "emailBox|3d|"
Value: "passwordBox|3d|"

Within:

PCRE:

Special Options:

fast_pattern

source