Detect SimpleHelp Path Traversal Vulnerability (CVE-2024-57728) in IBM QRadar
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') as event_time,
sourceip,
destinationip,
destinationport,
URL,
username,
QIDNAME(qid) as event_name,
logsourcename(logSourceId) as log_source,
'CVE-2024-57728' as cve_reference
FROM events
WHERE
starttime > NOW() - 7 DAYS
AND (
URL IMATCHES '.*(%2e%2e|%252e%252e|\.\./|\.\.%2f|%2f%2e%2e).*'
OR UTF8(payload) IMATCHES '.*(\.\./|\.\.\\/|%2e%2e%2f|%252e%252e%252f).*'
)
AND (
destinationport IN (80, 443, 5850, 5951)
OR logsourcename(logSourceId) IMATCHES '.*simplehelp.*'
)
ORDER BY starttime DESC
LIMIT 1000QRadar AQL query to detect path traversal exploitation attempts targeting SimpleHelp servers by inspecting URL fields and raw payload for directory traversal sequences on known SimpleHelp ports.
Data Sources
Required Tables
False Positives & Tuning
- Authorized red team or penetration testing exercises against SimpleHelp deployments
- Web application scanner false positives during scheduled security assessments
- Log forwarding systems that preserve original raw HTTP requests including encoded characters
- Misconfigured proxy servers that generate path traversal artifacts in forwarded requests
Other platforms for CVE-2024-57728
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SimpleHelp Path Traversal - Read /etc/passwd via URL-encoded traversal
Expected signal: Web server access log entry with URI containing %2e%2e%2f sequences; network flow showing outbound connection to SimpleHelp port 5850; if successful (HTTP 200), response body will contain /etc/passwd content
- Test 2SimpleHelp Path Traversal - Double URL-encoded traversal for WAF bypass
Expected signal: Web server access log with %252e%252e in URI; detection systems that only decode once will see %2e%2e after first decode pass, requiring double-decode logic to identify traversal
- Test 3SimpleHelp Path Traversal - Target web application configuration file
Expected signal: Windows: PowerShell ScriptBlock logging Event ID 4104 showing Invoke-WebRequest with path traversal URI; network connection to SimpleHelp port 5850; web server access log entry with ../WEB-INF/web.xml in request path
- Test 4SimpleHelp Path Traversal - Automated scan simulation with multiple traversal depths
Expected signal: Multiple web server access log entries with increasing ../ sequences in rapid succession from the same source IP; pattern consistent with automated exploitation tool behavior
Unlock Pro Content
Get the full detection package for CVE-2024-57728 including response playbook, investigation guide, and atomic red team tests.