TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694)
CVE-2024-7694 is an unrestricted file upload vulnerability (CWE-434) in TeamT5 ThreatSonar Anti-Ransomware. An attacker can upload files with dangerous types to the ThreatSonar management interface, potentially achieving remote code execution on the host running the security product. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation of a security product creates a high-impact scenario where the attacker may gain privileged access to the endpoint security management plane.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- TeamT5
- Product
- ThreatSonar Anti-Ransomware
Weakness (CWE)
Timeline
- Disclosed
- February 17, 2026
CVSS
What is CVE-2024-7694 TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694)?
TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694) (CVE-2024-7694) maps to the Initial Access and Execution and Persistence tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, DeviceFileEvents, DeviceNetworkEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
let ThreatSonarPaths = dynamic(['ThreatSonar', 'threatsonar', 'antiransomware']);
let DangerousExtensions = dynamic(['.php', '.asp', '.aspx', '.jsp', '.war', '.exe', '.dll', '.bat', '.cmd', '.ps1', '.sh', '.py', '.rb', '.pl']);
DeviceFileEvents
| where TimeGenerated > ago(7d)
| where ActionType in ('FileCreated', 'FileModified')
| where FolderPath has_any (ThreatSonarPaths) or InitiatingProcessParentFileName has_any (ThreatSonarPaths) or InitiatingProcessFileName has_any (ThreatSonarPaths)
| extend FileExtension = tolower(tostring(split(FileName, '.')[-1]))
| where strcat('.', FileExtension) in (DangerousExtensions)
| project TimeGenerated, DeviceName, DeviceId, FileName, FolderPath, FileExtension, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessParentFileName
| union (
DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessFileName has_any (ThreatSonarPaths)
| where RemoteIPType !in ('Private', 'Loopback')
| where RemotePort !in (80, 443)
| project TimeGenerated, DeviceName, DeviceId, RemoteIP, RemotePort, RemoteUrl, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
)
| order by TimeGenerated descDetects suspicious file creation with dangerous extensions in ThreatSonar-related paths, and anomalous outbound network connections initiated by ThreatSonar processes, which may indicate exploitation of CVE-2024-7694 unrestricted file upload.
Data Sources
Required Tables
False Positives
- Legitimate ThreatSonar updates or patches that install executable components
- Authorized penetration testing activities targeting ThreatSonar
- ThreatSonar's own threat intelligence update mechanism downloading executable samples for analysis
- Security researchers uploading test files in lab environments
Sigma rule & cross-platform mapping
The detection logic for TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694) (CVE-2024-7694) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2024-7694
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate web shell upload to ThreatSonar upload directory
Expected signal: Sysmon Event ID 11 (FileCreate) showing creation of .php file in ThreatSonar path; DeviceFileEvents in MDE showing FileName=test_shell.php in ThreatSonar directory
- Test 2Simulate ASP webshell drop via PowerShell (ThreatSonar IIS context)
Expected signal: Sysmon Event ID 11 with TargetFilename matching *.aspx in wwwroot/threatsonar; IIS log entry if file is subsequently requested
- Test 3Simulate post-exploitation cmd.exe spawn from web worker process in ThreatSonar context
Expected signal: Sysmon Event ID 1 showing cmd.exe spawned from threatsonar_worker.exe process; process tree showing execution of whoami; DeviceProcessEvents in MDE capturing the parent-child process relationship
Unlock Pro Content
Get the full detection package for CVE-2024-7694 including response playbook, investigation guide, and atomic red team tests.