From 3f44b93973726dfa080995554306fc833cdad955 Mon Sep 17 00:00:00 2001
From: Ali Alwashali <a.alwashli@gmail.com>
Date: Sun, 1 Oct 2023 14:55:09 +0300
Subject: [PATCH] ScreenConnect remote binary execution

ScreenConnect RMM has feature to remotely execute binaries on a target machine. The binaries will be dropped to C:\Users\User\Documents\ConnectWiseControl\Temp\ before execution.
---
 ...n_screenconnect_remote_tool_execution.yaml | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml

diff --git a/rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml b/rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml
new file mode 100644
index 00000000000..d8c77636822
--- /dev/null
+++ b/rules/windows/file/file_event/file_event_win_screenconnect_remote_tool_execution.yaml
@@ -0,0 +1,25 @@
+title: Remote Access Tool - ScreenConnect Remote Tool Execution
+id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
+status: experimental
+description: ScreenConnect RMM has feature to remotely execute binaries on a target machine. The binaries will be dropped to C:\Users\User\Documents\ConnectWiseControl\Temp\ before execution.
+related:
+    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
+      type: similar
+author: Ali Alwashali
+date: 2023/10/10
+modified: 2023/10/10
+tags:
+    - attack.execution
+    - attack.T1059.003
+logsource:
+    category: file_event
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\ScreenConnect.WindowsClient.exe'
+    selection_file:
+        - TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: low
\ No newline at end of file