CVE-2024-50623 Exploitation Attempt - Cleo

Rule Info

Name
CVE-2024-50623 Exploitation Attempt - Cleo
Author
Tanner Filip, Austin Worline, Chad Hudson, Matt Anderson
Description
Detects exploitation attempt of Cleo's CVE-2024-50623 by looking for a "cmd.exe" process spawning from the Celo software suite with suspicious Powershell commandline.
Reference
https://www.huntress.com/blog/threat-advisory-oh-no-cleo-cleo-software-actively-being-exploited-in-the-wild
Date
2024-12-09 00:00:00
Modified
None
Id
f007b877-02e3-45b7-8501-1b78c2864029
Tags
attack.execution attack.t1190 cve.2024-50623 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=f007b877-02e3-45b7-8501-1b78c2864029

Rule History

Author
Title
Date
Commit
frack113
Merge PR #5169 from @frack113 - Add missing `detection.emerging-threats` tags
2025-01-30
62f6d2797
Florian Roth
Merge PR #5116 from @Neo23x0 - Add rules and updates related to Cleo exploitation
2024-12-14
17dcad456
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022