ScreenConnect Server Spawning Suspicious Processes
Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/26"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2024/11/02"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This
13activity may indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "ScreenConnect Server Spawning Suspicious Processes"
30references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
31risk_score = 73
32rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Initial Access",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Data Source: System",
44 "Data Source: Microsoft Defender for Endpoint",
45 "Data Source: SentinelOne",
46 "Data Source: Crowdstrike",
47]
48timestamp_override = "event.ingested"
49type = "eql"
50
51query = '''
52process where host.os.type == "windows" and event.type == "start" and
53 process.parent.name : "ScreenConnect.Service.exe" and
54 (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
55 ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
56'''
57
58
59[[rule.threat]]
60framework = "MITRE ATT&CK"
61[[rule.threat.technique]]
62id = "T1190"
63name = "Exploit Public-Facing Application"
64reference = "https://attack.mitre.org/techniques/T1190/"
65
66
67[rule.threat.tactic]
68id = "TA0001"
69name = "Initial Access"
70reference = "https://attack.mitre.org/tactics/TA0001/"
71[[rule.threat]]
72framework = "MITRE ATT&CK"
73[[rule.threat.technique]]
74id = "T1059"
75name = "Command and Scripting Interpreter"
76reference = "https://attack.mitre.org/techniques/T1059/"
77[[rule.threat.technique.subtechnique]]
78id = "T1059.001"
79name = "PowerShell"
80reference = "https://attack.mitre.org/techniques/T1059/001/"
81
82[[rule.threat.technique.subtechnique]]
83id = "T1059.003"
84name = "Windows Command Shell"
85reference = "https://attack.mitre.org/techniques/T1059/003/"
86
87
88
89[rule.threat.tactic]
90id = "TA0002"
91name = "Execution"
92reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Read a blog from our threat research team on the ConnectWise vulnerabilities, exploitation process, and how to detect these tactics.
Read More
Related rules
- Web Shell Detection: Script Process Child of Common Web Processes
- Suspicious MS Office Child Process
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation
- Suspicious PDF Reader Child Process