Suspicious ScreenConnect Client Child Process
Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/27"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/03/28"
6min_stack_comments = "New fields added: required_fields, related_integrations, setup"
7min_stack_version = "8.3.0"
8
9
10[rule]
11author = ["Elastic"]
12description = """
13Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution
14abusing unauthorized access to the ScreenConnect remote access software.
15"""
16from = "now-9m"
17index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"]
18language = "eql"
19license = "Elastic License v2"
20name = "Suspicious ScreenConnect Client Child Process"
21references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"]
22risk_score = 47
23rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546"
24severity = "medium"
25tags = [
26 "Domain: Endpoint",
27 "OS: Windows",
28 "Use Case: Threat Detection",
29 "Tactic: Command and Control",
30 "Resources: Investigation Guide",
31 "Data Source: Elastic Endgame",
32 "Data Source: Elastic Defend",
33 "Data Source: Sysmon"
34]
35timestamp_override = "event.ingested"
36type = "eql"
37
38query = '''
39process where host.os.type == "windows" and event.type == "start" and
40 process.parent.name :
41 ("ScreenConnect.ClientService.exe",
42 "ScreenConnect.WindowsClient.exe",
43 "ScreenConnect.WindowsBackstageShell.exe",
44 "ScreenConnect.WindowsFileManager.exe") and
45 (
46 (process.name : "powershell.exe" and
47 process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or
48 (process.name : "cmd.exe" and process.args : "/c") or
49 (process.name : "net.exe" and process.args : "/add") or
50 (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or
51 (process.name : "sc.exe" and process.args : "create") or
52 (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
53 (process.name : "msiexec.exe" and process.args : ("/i", "-i") and
54 process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
55 process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
56 "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe")
57 )
58'''
59
60
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1219"
65name = "Remote Access Software"
66reference = "https://attack.mitre.org/techniques/T1219/"
67
68
69[rule.threat.tactic]
70id = "TA0011"
71name = "Command and Control"
72reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- Port Forwarding Rule Addition
- Adobe Hijack Persistence
- Code Signing Policy Modification Through Registry
- Conhost Spawned By Suspicious Parent Process
- Creation of a Hidden Local User Account