Suspicious ScreenConnect Client Child Process
Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/27"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system", "crowdstrike"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/31"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution
13abusing unauthorized access to the ScreenConnect remote access software.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*", "logs-crowdstrike.fdr*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious ScreenConnect Client Child Process"
20references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"]
21risk_score = 47
22rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Command and Control",
29 "Resources: Investigation Guide",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: SentinelOne",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: System",
36 "Data Source: Crowdstrike",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.type == "start" and
43 process.parent.name :
44 ("ScreenConnect.ClientService.exe",
45 "ScreenConnect.WindowsClient.exe",
46 "ScreenConnect.WindowsBackstageShell.exe",
47 "ScreenConnect.WindowsFileManager.exe") and
48 (
49 (process.name : "powershell.exe" and
50 process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or
51 (process.name : "cmd.exe" and process.args : "/c") or
52 (process.name : "net.exe" and process.args : "/add") or
53 (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or
54 (process.name : "sc.exe" and process.args : "create") or
55 (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
56 (process.name : "msiexec.exe" and process.args : ("/i", "-i") and
57 process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
58 process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
59 "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe")
60 )
61'''
62
63
64[[rule.threat]]
65framework = "MITRE ATT&CK"
66[[rule.threat.technique]]
67id = "T1219"
68name = "Remote Access Software"
69reference = "https://attack.mitre.org/techniques/T1219/"
70
71
72[rule.threat.tactic]
73id = "TA0011"
74name = "Command and Control"
75reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- Potential File Download via a Headless Browser
- Attempt to Establish VScode Remote Tunnel
- Disable Windows Firewall Rules via Netsh
- Potential Remote Desktop Tunneling Detected
- Potential DNS Tunneling via NsLookup