Detect SimpleHelp Path Traversal Vulnerability (CVE-2024-57728) in Google Chronicle
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
YARA-L Detection Query
rule CVE_2024_57728_SimpleHelp_PathTraversal {
meta:
author = "df00tech Detection Engineering"
description = "Detects path traversal exploitation of CVE-2024-57728 in SimpleHelp"
severity = "HIGH"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-57728"
cve = "CVE-2024-57728"
events:
$http.metadata.event_type = "NETWORK_HTTP"
$http.target.port = /^(80|443|5850|5951)$/
(
$http.target.url = /(\.\.\/|%2e%2e%2f|%252e%252e|\.\.%2f|%2f%2e%2e)/i or
$http.network.http.request_url = /(\.\.\/|%2e%2e%2f|%252e%252e|\.\.%2f)/i
)
condition:
$http
}Chronicle YARA-L rule to detect HTTP requests containing path traversal sequences targeting SimpleHelp service ports. Matches both plaintext and URL-encoded traversal patterns in request URLs.
Data Sources
Required Tables
False Positives & Tuning
- Security assessment tooling operating in authorized testing windows
- Threat intelligence platforms that replay historical IOCs for validation
- Misconfigured SIEM forwarders that normalize URLs incorrectly before ingestion
- Internal vulnerability management systems performing compliance checks
Other platforms for CVE-2024-57728
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SimpleHelp Path Traversal - Read /etc/passwd via URL-encoded traversal
Expected signal: Web server access log entry with URI containing %2e%2e%2f sequences; network flow showing outbound connection to SimpleHelp port 5850; if successful (HTTP 200), response body will contain /etc/passwd content
- Test 2SimpleHelp Path Traversal - Double URL-encoded traversal for WAF bypass
Expected signal: Web server access log with %252e%252e in URI; detection systems that only decode once will see %2e%2e after first decode pass, requiring double-decode logic to identify traversal
- Test 3SimpleHelp Path Traversal - Target web application configuration file
Expected signal: Windows: PowerShell ScriptBlock logging Event ID 4104 showing Invoke-WebRequest with path traversal URI; network connection to SimpleHelp port 5850; web server access log entry with ../WEB-INF/web.xml in request path
- Test 4SimpleHelp Path Traversal - Automated scan simulation with multiple traversal depths
Expected signal: Multiple web server access log entries with increasing ../ sequences in rapid succession from the same source IP; pattern consistent with automated exploitation tool behavior
Unlock Pro Content
Get the full detection package for CVE-2024-57728 including response playbook, investigation guide, and atomic red team tests.