Detect TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694) in Google Chronicle
CVE-2024-7694 is an unrestricted file upload vulnerability (CWE-434) in TeamT5 ThreatSonar Anti-Ransomware. An attacker can upload files with dangerous types to the ThreatSonar management interface, potentially achieving remote code execution on the host running the security product. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation of a security product creates a high-impact scenario where the attacker may gain privileged access to the endpoint security management plane.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
YARA-L Detection Query
rule cve_2024_7694_threatsonar_unrestricted_upload {
meta:
author = "df00tech Detection Engineering"
description = "Detects unrestricted file upload exploitation of CVE-2024-7694 in TeamT5 ThreatSonar Anti-Ransomware"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2024-7694"
events:
$file_event.metadata.event_type = "FILE_CREATION"
(
re.regex($file_event.target.file.full_path, `(?i)(threatsonar|antiransomware|teamt5)`) or
re.regex($file_event.principal.process.file.full_path, `(?i)(threatsonar|antiransomware)`)
)
re.regex($file_event.target.file.full_path, `(?i)\.(php|asp|aspx|jsp|war|exe|dll|bat|cmd|ps1|sh|py|rb|pl)$`)
match:
$file_event.principal.hostname over 1h
outcome:
$risk_score = max(
if(re.regex($file_event.target.file.full_path, `(?i)\.(php|asp|aspx|jsp)$`), 95,
if(re.regex($file_event.target.file.full_path, `(?i)\.(exe|dll)$`), 85, 70))
)
$host = $file_event.principal.hostname
$file_path = $file_event.target.file.full_path
$actor = $file_event.principal.user.userid
condition:
$file_event
}Chronicle YARA-L rule detecting dangerous file type creation in ThreatSonar Anti-Ransomware installation paths, consistent with exploitation of the CVE-2024-7694 unrestricted upload vulnerability.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software deployment pipelines updating ThreatSonar components
- ThreatSonar malware quarantine storing samples with original extensions
- Authorized security research in controlled ThreatSonar environments
- TeamT5 official update packages deploying new binaries
Other platforms for CVE-2024-7694
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate web shell upload to ThreatSonar upload directory
Expected signal: Sysmon Event ID 11 (FileCreate) showing creation of .php file in ThreatSonar path; DeviceFileEvents in MDE showing FileName=test_shell.php in ThreatSonar directory
- Test 2Simulate ASP webshell drop via PowerShell (ThreatSonar IIS context)
Expected signal: Sysmon Event ID 11 with TargetFilename matching *.aspx in wwwroot/threatsonar; IIS log entry if file is subsequently requested
- Test 3Simulate post-exploitation cmd.exe spawn from web worker process in ThreatSonar context
Expected signal: Sysmon Event ID 1 showing cmd.exe spawned from threatsonar_worker.exe process; process tree showing execution of whoami; DeviceProcessEvents in MDE capturing the parent-child process relationship
Unlock Pro Content
Get the full detection package for CVE-2024-7694 including response playbook, investigation guide, and atomic red team tests.