-
Notifications
You must be signed in to change notification settings - Fork 526
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[New] Suspicious Execution via ScreenConnect (#3541)
* [New] Suspicious Execution via ScreenConnect - Suspicious ScreenConnect Client Child Process (limited to known suspicious patterns) - ScreenConnect Server Spawning Suspicious Processes (webshell access via ScreenConnect server) * Update command_and_control_screenconnect_childproc.toml * Update rules/windows/initial_access_webshell_screenconnect_server.toml * Update rules/windows/command_and_control_screenconnect_childproc.toml * Update rules/windows/command_and_control_screenconnect_childproc.toml Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> * Update command_and_control_screenconnect_childproc.toml * Update command_and_control_screenconnect_childproc.toml --------- Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com> Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> (cherry picked from commit d7aff43)
- Loading branch information
1 parent
d8c4e16
commit 1a68c84
Showing
2 changed files
with
142 additions
and
0 deletions.
There are no files selected for viewing
73 changes: 73 additions & 0 deletions
73
rules/windows/command_and_control_screenconnect_childproc.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,73 @@ | ||
| [metadata] | ||
| creation_date = "2024/03/27" | ||
| integration = ["endpoint", "windows"] | ||
| maturity = "production" | ||
| updated_date = "2024/03/27" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
|
|
||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution | ||
| abusing unauthorized access to the ScreenConnect remote access software. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "Suspicious ScreenConnect Client Child Process" | ||
| references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"] | ||
| risk_score = 47 | ||
| rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546" | ||
| severity = "medium" | ||
| tags = [ | ||
| "Domain: Endpoint", | ||
| "OS: Windows", | ||
| "Use Case: Threat Detection", | ||
| "Tactic: Command and Control", | ||
| "Resources: Investigation Guide", | ||
| "Data Source: Elastic Endgame", | ||
| "Data Source: Elastic Defend", | ||
| "Data Source: Sysmon" | ||
| ] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| process where host.os.type == "windows" and event.type == "start" and | ||
| process.parent.name : | ||
| ("ScreenConnect.ClientService.exe", | ||
| "ScreenConnect.WindowsClient.exe", | ||
| "ScreenConnect.WindowsBackstageShell.exe", | ||
| "ScreenConnect.WindowsFileManager.exe") and | ||
| ( | ||
| (process.name : "powershell.exe" and | ||
| process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or | ||
| (process.name : "cmd.exe" and process.args : "/c") or | ||
| (process.name : "net.exe" and process.args : "/add") or | ||
| (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or | ||
| (process.name : "sc.exe" and process.args : "create") or | ||
| (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or | ||
| (process.name : "msiexec.exe" and process.args : ("/i", "-i") and | ||
| process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or | ||
| process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe", | ||
| "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe") | ||
| ) | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1219" | ||
| name = "Remote Access Software" | ||
| reference = "https://attack.mitre.org/techniques/T1219/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0011" | ||
| name = "Command and Control" | ||
| reference = "https://attack.mitre.org/tactics/TA0011/" | ||
|
|
69 changes: 69 additions & 0 deletions
69
rules/windows/initial_access_webshell_screenconnect_server.toml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| [metadata] | ||
| creation_date = "2024/03/26" | ||
| integration = ["endpoint", "windows"] | ||
| maturity = "production" | ||
| min_stack_comments = "New fields added: required_fields, related_integrations, setup" | ||
| min_stack_version = "8.3.0" | ||
| updated_date = "2024/03/26" | ||
|
|
||
| [rule] | ||
| author = ["Elastic"] | ||
| description = """ | ||
| Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may | ||
| indicate exploitation activity or access to an existing web shell backdoor. | ||
| """ | ||
| from = "now-9m" | ||
| index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"] | ||
| language = "eql" | ||
| license = "Elastic License v2" | ||
| name = "ScreenConnect Server Spawning Suspicious Processes" | ||
| references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] | ||
| risk_score = 73 | ||
| rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" | ||
| severity = "high" | ||
| tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"] | ||
| timestamp_override = "event.ingested" | ||
| type = "eql" | ||
|
|
||
| query = ''' | ||
| process where host.os.type == "windows" and event.type == "start" and | ||
| process.parent.name : "ScreenConnect.Service.exe" and | ||
| (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or | ||
| ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) | ||
| ''' | ||
|
|
||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1190" | ||
| name = "Exploit Public-Facing Application" | ||
| reference = "https://attack.mitre.org/techniques/T1190/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0001" | ||
| name = "Initial Access" | ||
| reference = "https://attack.mitre.org/tactics/TA0001/" | ||
|
|
||
| [[rule.threat]] | ||
| framework = "MITRE ATT&CK" | ||
| [[rule.threat.technique]] | ||
| id = "T1059" | ||
| name = "Command and Scripting Interpreter" | ||
| reference = "https://attack.mitre.org/techniques/T1059/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1059.001" | ||
| name = "PowerShell" | ||
| reference = "https://attack.mitre.org/techniques/T1059/001/" | ||
| [[rule.threat.technique.subtechnique]] | ||
| id = "T1059.003" | ||
| name = "Windows Command Shell" | ||
| reference = "https://attack.mitre.org/techniques/T1059/003/" | ||
|
|
||
|
|
||
| [rule.threat.tactic] | ||
| id = "TA0002" | ||
| name = "Execution" | ||
| reference = "https://attack.mitre.org/tactics/TA0002/" | ||
|
|