ScreenConnect Server Spawning Suspicious Processes
Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/26"
3integration = ["endpoint", "windows"]
4maturity = "production"
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This
11activity may indicate exploitation activity or access to an existing web shell backdoor.
12"""
13from = "now-9m"
14index = [
15 "logs-endpoint.events.process-*",
16 "winlogbeat-*",
17 "logs-windows.sysmon_operational-*",
18 "logs-system.security*",
19 "endgame-*",
20]
21language = "eql"
22license = "Elastic License v2"
23name = "ScreenConnect Server Spawning Suspicious Processes"
24references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
25risk_score = 73
26rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
27severity = "high"
28tags = [
29 "Domain: Endpoint",
30 "OS: Windows",
31 "Use Case: Threat Detection",
32 "Tactic: Initial Access",
33 "Tactic: Execution",
34 "Data Source: Elastic Endgame",
35 "Data Source: Elastic Defend",
36 "Data Source: Sysmon",
37]
38timestamp_override = "event.ingested"
39type = "eql"
40
41query = '''
42process where host.os.type == "windows" and event.type == "start" and
43 process.parent.name : "ScreenConnect.Service.exe" and
44 (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
45 ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
46'''
47
48
49[[rule.threat]]
50framework = "MITRE ATT&CK"
51[[rule.threat.technique]]
52id = "T1190"
53name = "Exploit Public-Facing Application"
54reference = "https://attack.mitre.org/techniques/T1190/"
55
56
57[rule.threat.tactic]
58id = "TA0001"
59name = "Initial Access"
60reference = "https://attack.mitre.org/tactics/TA0001/"
61[[rule.threat]]
62framework = "MITRE ATT&CK"
63[[rule.threat.technique]]
64id = "T1059"
65name = "Command and Scripting Interpreter"
66reference = "https://attack.mitre.org/techniques/T1059/"
67[[rule.threat.technique.subtechnique]]
68id = "T1059.001"
69name = "PowerShell"
70reference = "https://attack.mitre.org/techniques/T1059/001/"
71
72[[rule.threat.technique.subtechnique]]
73id = "T1059.003"
74name = "Windows Command Shell"
75reference = "https://attack.mitre.org/techniques/T1059/003/"
76
77
78
79[rule.threat.tactic]
80id = "TA0002"
81name = "Execution"
82reference = "https://attack.mitre.org/tactics/TA0002/"
References
-
Read a blog from our threat research team on the ConnectWise vulnerabilities, exploitation process, and how to detect these tactics.
Read More
Related rules
- Microsoft Exchange Worker Spawning Suspicious Processes
- Suspicious Explorer Child Process
- Unusual Execution via Microsoft Common Console File
- Windows Script Executing PowerShell
- Windows Script Interpreter Executing Process via WMI