This analytic detects attempts to exploit the ConnectWise ScreenConnect CVE-2024-1708 vulnerability, allowing attackers to conduct path traversal attacks. Such attacks involve manipulating the 'file_path' and 'file_name' parameters in the URL, enabling unauthorized access to sensitive files and directories on the host system. By utilizing the Endpoint datamodel's Filesystem node, this rule identifies suspicious file system events specifically targeting paths related to ScreenConnect applications. If exploited, attackers could gain control over the system, resulting in potential data exfiltration or arbitrary code execution. The rule is designed to recognize these file system irregularities in real-time, minimizing the chances for attackers to exploit vulnerabilities undetected.