ScreenConnect remote binary execution

ScreenConnect RMM has feature to remotely execute binaries on a target machine. The binaries will be dropped to C:\Users\User\Documents\ConnectWiseControl\Temp\ before execution.
SigmaHQ · Oct 1, 2023 · 3f44b93 · 3f44b93
1 parent 04a928d
commit 3f44b93
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml b/rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml
@@ -0,0 +1,25 @@
+title: Remote Access Tool - ScreenConnect Remote Tool Execution
+id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
+status: experimental
+description: ScreenConnect RMM has feature to remotely execute binaries on a target machine. The binaries will be dropped to C:\Users\User\Documents\ConnectWiseControl\Temp\ before execution.
+related:
+    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
+      type: similar
+author: Ali Alwashali
+date: 2023/10/10
+modified: 2023/10/10
+tags:
+    - attack.execution
+    - attack.T1059.003
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\ScreenConnect.WindowsClient.exe'
+    selection_file:
+        - TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: low