Sigma rules for ConnectWise
9 rules · scoped to tool · back to ConnectWise
Direct rules mention this entity in their title or description. Related rules cover the techniques this entity is known to use.
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ScreenConnect.WindowsClient.exe'
TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
- https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
- https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
- attack.initial-access
- attack.t1190
logsource:
product: windows
category: process_creation
detection:
selection:
ParentImage|endswith: '\ScreenConnect.Service.exe'
Image|endswith:
- '\cmd.exe'
- '\csc.exe'
condition: selection
falsepositives:
- Unlikely
level: high
title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
condition: selection
falsepositives:
- Legitimate use
level: medium
title: Remote Access Tool - ScreenConnect Installation Execution
id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962
status: test
description: Detects ScreenConnect program starts that establish a remote access to a system.
references:
- https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
author: Florian Roth (Nextron Systems)
date: 2021-02-11
modified: 2024-02-26
tags:
- attack.persistence
- attack.initial-access
- attack.t1133
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- 'e=Access&'
- 'y=Guest&'
- '&p='
- '&c='
- '&k='
condition: selection
falsepositives:
- Legitimate use by administrative staff
level: medium
title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
- id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
type: derived
status: test
description: |
Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
- https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
- https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
product: windows
category: process_creation
detection:
selection:
ParentCommandLine|contains|all:
- ':\Windows\TEMP\ScreenConnect\'
- 'run.cmd'
Image|endswith:
- '\bitsadmin.exe'
- '\cmd.exe'
- '\curl.exe'
- '\dllhost.exe'
- '\net.exe'
- '\nltest.exe'
- '\powershell.exe'
- '\pwsh.exe'
- '\rundll32.exe'
- '\wevtutil.exe'
condition: selection
falsepositives:
- If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium
title: Remote Access Tool - ScreenConnect Execution
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
modified: 2023-03-05
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'ScreenConnect Service'
- Product: 'ScreenConnect'
- Company: 'ScreenConnect Software'
condition: selection
falsepositives:
- Legitimate usage of the tool
level: medium
title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: test
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
modified: 2024-02-26
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
# Example:
# CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
CommandLine|contains: '\TEMP\ScreenConnect\'
condition: all of selection_*
falsepositives:
- Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
# Note: Increase the level if you don't leverage ScreenConnect
level: low
title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: Detects file being transferred via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 201
Data|contains: 'Transferred files with action'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: Detects command execution via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 200
Data|contains: 'Executed command of length'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low