Detect SimpleHelp Path Traversal Vulnerability (CVE-2024-57728) in Sumo Logic CSE
Detects exploitation of CVE-2024-57728, a path traversal vulnerability (CWE-22) in SimpleHelp remote support software versions 5.5.7 and earlier. Attackers can traverse directory boundaries to read arbitrary files from the server, potentially exposing credentials, configuration files, and sensitive system data. This CVE is listed in CISA's Known Exploited Vulnerabilities catalog.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=webserver* OR _sourceCategory=simplehelp*
| parse regex "(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "\"(?:GET|POST|PUT|DELETE|HEAD|OPTIONS|PATCH) (?<request_uri>[^\"]+)\"" nodrop
| where request_uri matches "*../*" OR request_uri matches "*%2e%2e*" OR request_uri matches "*%252e%252e*" OR request_uri matches "*..%2f*" OR request_uri matches "*%2f%2e%2e*"
| urldecode(request_uri) as decoded_uri
| urldecode(decoded_uri) as double_decoded_uri
| if(double_decoded_uri matches "*/etc/passwd*" OR double_decoded_uri matches "*/etc/shadow*" OR double_decoded_uri matches "*web.xml*" OR double_decoded_uri matches "*credentials*" OR double_decoded_uri matches "*id_rsa*", "CRITICAL", "HIGH") as alert_priority
| count as hit_count by client_ip, decoded_uri, alert_priority
| sort by hit_count descSumo Logic query that parses web access logs for path traversal sequences targeting SimpleHelp, with double URL decoding to catch obfuscated traversal attempts and prioritization based on targeted sensitive file patterns.
Data Sources
Required Tables
False Positives & Tuning
- Vulnerability scanners configured to test path traversal without targeting production systems
- Legacy application integrations that generate path traversal-like URL patterns
- Load balancer health check configurations with non-standard URI formats
- Security tooling that logs raw request data including traversal test strings
Other platforms for CVE-2024-57728
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1SimpleHelp Path Traversal - Read /etc/passwd via URL-encoded traversal
Expected signal: Web server access log entry with URI containing %2e%2e%2f sequences; network flow showing outbound connection to SimpleHelp port 5850; if successful (HTTP 200), response body will contain /etc/passwd content
- Test 2SimpleHelp Path Traversal - Double URL-encoded traversal for WAF bypass
Expected signal: Web server access log with %252e%252e in URI; detection systems that only decode once will see %2e%2e after first decode pass, requiring double-decode logic to identify traversal
- Test 3SimpleHelp Path Traversal - Target web application configuration file
Expected signal: Windows: PowerShell ScriptBlock logging Event ID 4104 showing Invoke-WebRequest with path traversal URI; network connection to SimpleHelp port 5850; web server access log entry with ../WEB-INF/web.xml in request path
- Test 4SimpleHelp Path Traversal - Automated scan simulation with multiple traversal depths
Expected signal: Multiple web server access log entries with increasing ../ sequences in rapid succession from the same source IP; pattern consistent with automated exploitation tool behavior
Unlock Pro Content
Get the full detection package for CVE-2024-57728 including response playbook, investigation guide, and atomic red team tests.