Views:

Using Trend Micro Products for Investigation


The following highlights several post-exploitation detections and remediation technology that can be used by customers to investigate and help with potential remediation in a customer’s environment.

Trend Vision One™

Trend Vision One customers benefit from attack surface risk management and XDR capabilities of the overall platform, fed by products such as Trend Micro Apex One or Trend Vision One - Endpoint Security, allowing existing customers to stay up to date on the latest information on these vulnerabilities. Leveraging the Risk Insights family of apps, customers can scan for, and identify impacted assets, and stay up to date on latest mitigation steps, including how to use Trend products to detect and defend against exploitation.

Search Query

Trend Vision One customers may utilize the General Search Query function in the console to do some preliminary investigation of potential exposure.
 

Module state


1. Open Trend Vision One and navigate to XDR THREAT INVESTIGATION > Search.
2.  Select General for Search Method.
3.  Enter the following query:

(parentFilePath:"ScreenConnect.ClientService.exe" AND processFilePath:"cmd.exe" AND processCmd:*Screenconnect* AND objectFilePath:("powershell.exe" OR "certutil.exe" OR "wget.exe" OR "curl.exe" OR "rundll32.exe" OR "nltest.exe" OR "net.exe") AND NOT processCmd:*23.9.8.*)
 

Trend Micro Protection and Detection Against Exploitation

First and foremost, it is always highly recommended that users apply the vendor's patches when they become available.  Cloud users of ScreenConnect have already been patched, but on-premise users should apply the required patches ASAP.

In addition, as another layer of protection Trend Micro can share that we have some detection rules and filters that can help provide against potential exploitation of this vulnerability.

Trend Micro Cloud One - Network Security & TippingPoint Digital Vaccine (DV) Filters
  • 43908: HTTP: ConnectWise ScreenConnect Authentication Bypass Vulnerability
  • 43910: HTTP: ConnectWise ScreenConnect Path Traversal Vulnerability

Trend Vision One - Endpoint Security (Pro), Trend Cloud One - Workload Security, & Deep Security IPS Rules
  • 1011098 - ConnectWise ScreenConnect Authentication Bypass Vulnerability (CVE-2024-1709)

Trend Micro Deep Discovery Inspector (DDI) Rules  
  • 5006: CVE-2024-1708 - ConnectWise ScreenConnect  Directory Traversal Exploit - HTTP (Request)
  • 5007: CVE-2024-1709 - ConnectWise ScreenConnect Authentication Bypass Exploit - HTTP (Response)

Trend Micro Web Reputation Services (WRS)

Trend Micro customer utilizing products (including endpoint, server, and gateway solutions) that include Trend Micro Web Reputation Services (WRS) protection are protected against known command & control (C&C) servers that have been publicly listed as indicators of compromise (IOCs).  Trend Micro will continue to add additional malicious IPs as they are discovered.