/
ScreenConnect.06.0 - Check for .ASPX .ASHX files in App_Extensions folder.sql
30 lines (28 loc) · 1.72 KB
/
ScreenConnect.06.0 - Check for .ASPX .ASHX files in App_Extensions folder.sql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
/*************************** Sophos.com/RapidResponse ****************************\
| DESCRIPTION |
| Detect potential exploitation of CVE-2024-1708 on a machine hosting a |
| ScreenConnect server by looking for .ASPX and .ASHX files written in the |
| \ScreenConnect\App_Extensions folder. |
| |
| https://www.huntress.com/blog/a-catastrophe-for-control-understanding-the- |
| screenconnect-authentication-bypass |
| |
| Query Type: Endpoint |
| Author: The Rapid Response Team | Lee Kirkpatrick |
| github.com/SophosRapidResponse |
\*********************************************************************************/
SELECT
f.path,
f.filename,
f.size,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.btime,'unixepoch')) AS 'First_Created_On_Disk(btime)',
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.ctime,'unixepoch')) AS 'Last_Status_Change(ctime)',
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.mtime,'unixepoch')) AS 'Last_Modified(mtime)',
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.atime,'unixepoch')) AS 'Last_Accessed(atime)',
h.sha256,
'file' AS data_source,
'ScreenConnect.06.' AS query
FROM file f
JOIN hash h ON f.path = h.path
WHERE
f.path LIKE 'C:\Program Files (x86)\ScreenConnect\App_Extensions\%.as%x' -- this is the default location but can be changed at installation