Newly Observed ScreenConnect Host Server

 1[metadata]
 2creation_date = "2026/03/09"
 3integration = ["endpoint"]
 4maturity = "production"
 5updated_date = "2026/03/09"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10Detects when the ScreenConnect client (ConnectWise Control) connects to a newly observed host server that is not the official ScreenConnect cloud. ScreenConnect is a common RMM/remote access tool abused for C2 and persistence. Self-hosted or non-standard relay servers may indicate abuse or compromise. The rule aggregates by server host (parsed from the client command line), requires first-time observation within the rule window, and limits to a single host to reduce noise.
11"""
12from = "now-5d"
13interval = "6m"
14language = "esql"
15license = "Elastic License v2"
16name = "Newly Observed ScreenConnect Host Server"
17note = """## Triage and analysis
18
19### Investigating Newly Observed ScreenConnect Host Server
20
21ScreenConnect (ConnectWise Control) is legitimate RMM software often abused by threat actors for command-and-control and persistence. This rule fires when a host is seen connecting to a ScreenConnect server host that was not seen before (within the rule window) and that is not the official *.screenconnect.com cloud—surfacing self-hosted or non-standard relay servers that may indicate abuse.
22
23### Possible investigation steps
24
25- Identify the host and user from the alert and confirm whether use of ScreenConnect is approved.
26- Inspect the parsed ScreenConnect server host (Esql.screenconnect_server)—is it an internal host, a known vendor, or an unknown domain/IP?
27- Review the process command line for the full connection parameters and any other suspicious options.
28- Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host.
29- Check for other alerts on the host or user in the past 48 hours.
30
31### False positive analysis
32
33- Legitimate use of self-hosted ScreenConnect/ConnectWise Control by IT or MSP will trigger; allowlist known relay servers by host or exception if appropriate.
34- New deployments of on-prem ScreenConnect relays will appear as newly observed; validate with change management.
35
36### Response and remediation
37
38- If unauthorized RMM use or an unknown relay is confirmed: isolate the host, remove or block the client, and investigate how the software was installed and who operates the server.
39- Enforce policy that only approved RMM tools and approved relay servers may be used.
40"""
41references = [
42    "https://attack.mitre.org/techniques/T1219/002/",
43    "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-025a",
44]
45risk_score = 73
46rule_id = "a8b2c4d6-e8f0-12a4-b6c8-d0e2f4a6b8c0"
47severity = "high"
48tags = [
49    "Domain: Endpoint",
50    "OS: Windows",
51    "Use Case: Threat Detection",
52    "Tactic: Command and Control",
53    "Resources: Investigation Guide",
54    "Data Source: Elastic Defend"
55]
56timestamp_override = "event.ingested"
57type = "esql"
58
59query = '''
60from logs-endpoint.events.process-* metadata _id, _version, _index
61| where event.category == "process" and event.type == "start" and (process.name == "ScreenConnect.ClientService.exe" or process.code_signature.subject_name == "ConnectWise, LLC")
62| grok process.command_line """e=Access&y=Guest&h=(?<Esql.screenconnect_server>[^&]+)&p"""
63| where Esql.screenconnect_server is not null and not Esql.screenconnect_server like "*.screenconnect.com"
64| stats Esql.count_distinct_host_id = count_distinct(host.id),
65        Esql.first_time_seen = min(@timestamp),
66        Esql.user_name_values = values(user.name),
67        Esql.command_line_values = values(process.command_line),
68        Esql.host_id_values = values(host.id),
69        Esql.host_name_values = values(host.name) by Esql.screenconnect_server
70| eval Esql.recent = date_diff("minute", Esql.first_time_seen, now())
71| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1
72| eval host.id = mv_first(Esql.host_id_values),
73       host.name = mv_first(Esql.host_name_values),
74       process.command_line = mv_first(Esql.command_line_values)
75| keep host.id, host.name, process.command_line, Esql.screenconnect_server
76'''
77
78[[rule.threat]]
79framework = "MITRE ATT&CK"
80[[rule.threat.technique]]
81id = "T1219"
82name = "Remote Access Tools"
83reference = "https://attack.mitre.org/techniques/T1219/"
84[[rule.threat.technique.subtechnique]]
85id = "T1219.002"
86name = "Remote Desktop Software"
87reference = "https://attack.mitre.org/techniques/T1219/002/"
88
89[rule.threat.tactic]
90id = "TA0011"
91name = "Command and Control"
92reference = "https://attack.mitre.org/tactics/TA0011/"