CVE-2024-7694 Sumo Logic CSE · Sumo

Detect TeamT5 ThreatSonar Anti-Ransomware Unrestricted File Upload (CVE-2024-7694) in Sumo Logic CSE

CVE-2024-7694 is an unrestricted file upload vulnerability (CWE-434) in TeamT5 ThreatSonar Anti-Ransomware. An attacker can upload files with dangerous types to the ThreatSonar management interface, potentially achieving remote code execution on the host running the security product. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation of a security product creates a high-impact scenario where the attacker may gain privileged access to the endpoint security management plane.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=endpoint OR _sourceCategory=windows/sysmon
| where _raw matches /(?i)(threatsonar|antiransomware|teamt5)/
| parse regex field=_raw "(?<file_path>[A-Za-z]:\\\\[^\"\n]+\.(?<file_ext>php|asp|aspx|jsp|war|exe|dll|bat|cmd|ps1|sh|py|rb|pl))" nodrop
| where !isNull(file_ext)
| parse regex field=_raw "(?i)user[\s=:\"]+(?<username>[\w\\\\@\.]+)" nodrop
| parse regex field=_raw "(?i)image[\s=:\"]+(?<process_image>[^\"\n,]+)" nodrop
| parse regex field=_raw "(?i)commandline[\s=:\"]+(?<cmd_line>[^\"\n]+)" nodrop
| eval risk=if(file_ext in ("php","asp","aspx","jsp"),"CRITICAL",if(file_ext in ("exe","dll"),"HIGH","MEDIUM"))
| count by _sourceHost, username, file_path, file_ext, process_image, risk
| order by risk, _count desc
critical severity medium confidence

Sumo Logic query detecting creation of web-executable and dangerous file types in ThreatSonar paths via Sysmon or endpoint logs, surfacing potential CVE-2024-7694 unrestricted upload exploitation.

Data Sources

Sumo Logic Cloud SIEMSysmon log collectionWindows endpoint agents

False Positives & Tuning

  • Legitimate TeamT5 software updates containing executable payloads
  • ThreatSonar internal quarantine directory storing malware samples
  • Authorized deployment automation modifying ThreatSonar installation directories
  • Security test environments running exploit simulations

Other platforms for CVE-2024-7694

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate web shell upload to ThreatSonar upload directory

    Expected signal: Sysmon Event ID 11 (FileCreate) showing creation of .php file in ThreatSonar path; DeviceFileEvents in MDE showing FileName=test_shell.php in ThreatSonar directory

  2. Test 2Simulate ASP webshell drop via PowerShell (ThreatSonar IIS context)

    Expected signal: Sysmon Event ID 11 with TargetFilename matching *.aspx in wwwroot/threatsonar; IIS log entry if file is subsequently requested

  3. Test 3Simulate post-exploitation cmd.exe spawn from web worker process in ThreatSonar context

    Expected signal: Sysmon Event ID 1 showing cmd.exe spawned from threatsonar_worker.exe process; process tree showing execution of whoami; DeviceProcessEvents in MDE capturing the parent-child process relationship

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2024-7694 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1505.003Web ShellT1078Valid Accounts

Same Tactic: Initial Access

Popular Detections