Suspicious ScreenConnect Client Child Process
Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/27"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
6min_stack_version = "8.13.0"
7updated_date = "2024/06/25"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution
13abusing unauthorized access to the ScreenConnect remote access software.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious ScreenConnect Client Child Process"
20references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"]
21risk_score = 47
22rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Command and Control",
29 "Resources: Investigation Guide",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: SentinelOne",
34 "Data Source: Microsoft Defender for Endpoint"
35]
36timestamp_override = "event.ingested"
37type = "eql"
38
39query = '''
40process where host.os.type == "windows" and event.type == "start" and
41 process.parent.name :
42 ("ScreenConnect.ClientService.exe",
43 "ScreenConnect.WindowsClient.exe",
44 "ScreenConnect.WindowsBackstageShell.exe",
45 "ScreenConnect.WindowsFileManager.exe") and
46 (
47 (process.name : "powershell.exe" and
48 process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or
49 (process.name : "cmd.exe" and process.args : "/c") or
50 (process.name : "net.exe" and process.args : "/add") or
51 (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or
52 (process.name : "sc.exe" and process.args : "create") or
53 (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
54 (process.name : "msiexec.exe" and process.args : ("/i", "-i") and
55 process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
56 process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
57 "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe")
58 )
59'''
60
61
62[[rule.threat]]
63framework = "MITRE ATT&CK"
64[[rule.threat.technique]]
65id = "T1219"
66name = "Remote Access Software"
67reference = "https://attack.mitre.org/techniques/T1219/"
68
69
70[rule.threat.tactic]
71id = "TA0011"
72name = "Command and Control"
73reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- Adobe Hijack Persistence
- Potential Remote Desktop Tunneling Detected
- Suspicious Antimalware Scan Interface DLL
- Port Forwarding Rule Addition
- Creation or Modification of Domain Backup DPAPI private key