Detect SimpleHelp Path Traversal Vulnerability (CVE-2024-57728) in CrowdStrike LogScale
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
LogScale Detection Query
#event_simpleName=NetworkConnectIP4 OR #event_simpleName=ProcessRollup2
| case {
#event_simpleName=NetworkConnectIP4 |
RemotePort in (80, 443, 5850, 5951) |
rename RemoteIP as target_ip, RemotePort as target_port;
#event_simpleName=ProcessRollup2 |
CommandLine = /(\.\.\/|%2e%2e|%252e%252e|\.\.%2f|%2f%2e%2e)/i |
rename CommandLine as suspicious_cmdline
}
| search suspicious_cmdline != null OR (target_port in (5850, 5951))
| eval traversal_detected = if(match(suspicious_cmdline, "(\.\./|%2e%2e|%252e%252e)"), "YES", "NO")
| eval sensitive_file_target = if(match(suspicious_cmdline, "(passwd|shadow|web\.xml|\.env|id_rsa|credentials|config)"), "YES", "NO")
| stats count as event_count, values(suspicious_cmdline) as commands, values(target_ip) as targets by aid, ComputerName, traversal_detected, sensitive_file_target
| where traversal_detected = "YES"
| sort - event_countCrowdStrike Falcon event search detecting path traversal patterns in process command lines and network connections to SimpleHelp service ports, with enrichment for sensitive file targeting.
Data Sources
Required Tables
False Positives & Tuning
- Endpoint agents performing file integrity monitoring that scan parent directory paths
- Backup software traversing directory trees using relative path notation
- Development tools or IDEs generating process command lines with relative paths
- Authorized red team activity using CrowdStrike-visible attack simulation tooling
Other platforms for CVE-2024-57728
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SimpleHelp Path Traversal - Read /etc/passwd via URL-encoded traversal
Expected signal: Web server access log entry with URI containing %2e%2e%2f sequences; network flow showing outbound connection to SimpleHelp port 5850; if successful (HTTP 200), response body will contain /etc/passwd content
- Test 2SimpleHelp Path Traversal - Double URL-encoded traversal for WAF bypass
Expected signal: Web server access log with %252e%252e in URI; detection systems that only decode once will see %2e%2e after first decode pass, requiring double-decode logic to identify traversal
- Test 3SimpleHelp Path Traversal - Target web application configuration file
Expected signal: Windows: PowerShell ScriptBlock logging Event ID 4104 showing Invoke-WebRequest with path traversal URI; network connection to SimpleHelp port 5850; web server access log entry with ../WEB-INF/web.xml in request path
- Test 4SimpleHelp Path Traversal - Automated scan simulation with multiple traversal depths
Expected signal: Multiple web server access log entries with increasing ../ sequences in rapid succession from the same source IP; pattern consistent with automated exploitation tool behavior
Unlock Pro Content
Get the full detection package for CVE-2024-57728 including response playbook, investigation guide, and atomic red team tests.