Suspicious ScreenConnect Client Child Process
Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution abusing unauthorized access to the ScreenConnect remote access software.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/27"
3integration = ["endpoint", "windows", "sentinel_one_cloud_funnel", "m365_defender", "system"]
4maturity = "production"
5min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
6min_stack_version = "8.14.0"
7updated_date = "2024/10/17"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect client processes. This activity may indicate execution
13abusing unauthorized access to the ScreenConnect remote access software.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", "logs-sentinel_one_cloud_funnel.*", "logs-m365_defender.event-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "Suspicious ScreenConnect Client Child Process"
20references = ["https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"]
21risk_score = 47
22rule_id = "78de1aeb-5225-4067-b8cc-f4a1de8a8546"
23severity = "medium"
24tags = [
25 "Domain: Endpoint",
26 "OS: Windows",
27 "Use Case: Threat Detection",
28 "Tactic: Command and Control",
29 "Resources: Investigation Guide",
30 "Data Source: Elastic Endgame",
31 "Data Source: Elastic Defend",
32 "Data Source: Sysmon",
33 "Data Source: SentinelOne",
34 "Data Source: Microsoft Defender for Endpoint",
35 "Data Source: System",
36]
37timestamp_override = "event.ingested"
38type = "eql"
39
40query = '''
41process where host.os.type == "windows" and event.type == "start" and
42 process.parent.name :
43 ("ScreenConnect.ClientService.exe",
44 "ScreenConnect.WindowsClient.exe",
45 "ScreenConnect.WindowsBackstageShell.exe",
46 "ScreenConnect.WindowsFileManager.exe") and
47 (
48 (process.name : "powershell.exe" and
49 process.args : ("-enc", "-ec", "-e", "*downloadstring*", "*Reflection.Assembly*", "*http*")) or
50 (process.name : "cmd.exe" and process.args : "/c") or
51 (process.name : "net.exe" and process.args : "/add") or
52 (process.name : "schtasks.exe" and process.args : ("/create", "-create")) or
53 (process.name : "sc.exe" and process.args : "create") or
54 (process.name : "rundll32.exe" and not process.args : "url.dll,FileProtocolHandler") or
55 (process.name : "msiexec.exe" and process.args : ("/i", "-i") and
56 process.args : ("/q", "/quiet", "/qn", "-q", "-quiet", "-qn", "-Q+")) or
57 process.name : ("mshta.exe", "certutil.exe", "bistadmin.exe", "certreq.exe", "wscript.exe", "cscript.exe", "curl.exe",
58 "ssh.exe", "scp.exe", "wevtutil.exe", "wget.exe", "wmic.exe")
59 )
60'''
61
62
63[[rule.threat]]
64framework = "MITRE ATT&CK"
65[[rule.threat.technique]]
66id = "T1219"
67name = "Remote Access Software"
68reference = "https://attack.mitre.org/techniques/T1219/"
69
70
71[rule.threat.tactic]
72id = "TA0011"
73name = "Command and Control"
74reference = "https://attack.mitre.org/tactics/TA0011/"
References
-
SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708) | Huntress
Adversaries have been VERY busy in the wake of the ScreenConnect vulnerabilities (CVE-2024-1709 & CVE-2024-1708). Here’s all the post-exploitation details, tradecraft, and tactics we’ve observed so far!
Read More
Related rules
- Potential DNS Tunneling via NsLookup
- Potential File Download via a Headless Browser
- Remote File Download via Desktopimgdownldr Utility
- Remote File Download via MpCmdRun
- Attempt to Establish VScode Remote Tunnel