ScreenConnect Server Spawning Suspicious Processes
Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/26"
3integration = ["endpoint", "windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2024/03/28"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may
13indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = ["logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*"]
17language = "eql"
18license = "Elastic License v2"
19name = "ScreenConnect Server Spawning Suspicious Processes"
20references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
21risk_score = 73
22rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
23severity = "high"
24tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon"]
25timestamp_override = "event.ingested"
26type = "eql"
27
28query = '''
29process where host.os.type == "windows" and event.type == "start" and
30 process.parent.name : "ScreenConnect.Service.exe" and
31 (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
32 ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
33'''
34
35
36[[rule.threat]]
37framework = "MITRE ATT&CK"
38[[rule.threat.technique]]
39id = "T1190"
40name = "Exploit Public-Facing Application"
41reference = "https://attack.mitre.org/techniques/T1190/"
42
43
44[rule.threat.tactic]
45id = "TA0001"
46name = "Initial Access"
47reference = "https://attack.mitre.org/tactics/TA0001/"
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1059"
53name = "Command and Scripting Interpreter"
54reference = "https://attack.mitre.org/techniques/T1059/"
55[[rule.threat.technique.subtechnique]]
56id = "T1059.001"
57name = "PowerShell"
58reference = "https://attack.mitre.org/techniques/T1059/001/"
59[[rule.threat.technique.subtechnique]]
60id = "T1059.003"
61name = "Windows Command Shell"
62reference = "https://attack.mitre.org/techniques/T1059/003/"
63
64
65[rule.threat.tactic]
66id = "TA0002"
67name = "Execution"
68reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Read a blog from our threat research team on the ConnectWise vulnerabilities, exploitation process, and how to detect these tactics.
Read More
Related rules
- Microsoft Exchange Worker Spawning Suspicious Processes
- Suspicious Explorer Child Process
- Windows Script Executing PowerShell
- Command Execution via SolarWinds Process
- Command Shell Activity Started via RunDLL32