[New] Suspicious Execution via ScreenConnect

rules/windows/command_and_control_screenconnect_childproc.toml

@@ -0,0 +1,66 @@
+[metadata]
+creation_date = "2024/03/26"
+integration = ["endpoint", "windows"]
+maturity = "production"
+updated_date = "2024/03/26"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution
+abusing unauthorized access to the ScreenConnect remote access software.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "Suspicious ScreenConnect Client Child Process"
+references = ["http://web.archive.org/web/20230329160957/https://blog.menasec.net/2019/11/hunting-for-suspicious-use-of.html"]
+risk_score = 47
+rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546"
+severity = "medium"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Command and Control",
+    "Resources: Investigation Guide",
+    "Data Source: Elastic Endgame",
+    "Data Source: Elastic Defend",
+    "Data Source: Sysmon"
+]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name :
+                ("ScreenConnect.ClientService.exe",
+                 "ScreenConnect.WindowsClient.exe",
+                 "ScreenConnect.WindowsBackstageShell.exe") and
+  (
+   (process.name : "powershell.exe" and
+    process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or
+   (process.name : "cmd.exe" and process.args : "/c") or
+   (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
+   process.name : ("mshta.exe", "msiexec.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe")
+   )
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1219"
+name = "Remote Access Software"
+reference = "https://attack.mitre.org/techniques/T1219/"
+
+
+[rule.threat.tactic]
+id = "TA0011"
+name = "Command and Control"
+reference = "https://attack.mitre.org/tactics/TA0011/"
+

rules/windows/initial_access_webshell_screenconnect_server.toml

@@ -0,0 +1,69 @@
+[metadata]
+creation_date = "2024/03/26"
+integration = ["endpoint", "windows"]
+maturity = "production"
+min_stack_comments = "New fields added: required_fields, related_integrations, setup"
+min_stack_version = "8.3.0"
+updated_date = "2024/03/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may
+indicate exploitation activity or access to an existing web shell backdoor.
+"""
+from = "now-9m"
+index = ["logs-endpoint.events.*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"]
+language = "eql"
+license = "Elastic License v2"
+name = "ScreenConnect Server Spawning Suspicious Processes"
+references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
+risk_score = 73
+rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
+severity = "high"
+tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
+timestamp_override = "event.ingested"
+type = "eql"
+
+query = '''
+process where host.os.type == "windows" and event.type == "start" and
+  process.parent.name : "ScreenConnect.Service.exe" and
+  (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
+  ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1190"
+name = "Exploit Public-Facing Application"
+reference = "https://attack.mitre.org/techniques/T1190/"
+
+
+[rule.threat.tactic]
+id = "TA0001"
+name = "Initial Access"
+reference = "https://attack.mitre.org/tactics/TA0001/"
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.003"
+name = "Windows Command Shell"
+reference = "https://attack.mitre.org/techniques/T1059/003/"
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"
+