ScreenConnect Server Spawning Suspicious Processes
Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/26"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel", "crowdstrike"]
4maturity = "production"
5updated_date = "2025/01/15"
6min_stack_version = "8.14.0"
7min_stack_comments = "Breaking change at 8.14.0 for the Windows Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This
13activity may indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25 "logs-crowdstrike.fdr*",
26]
27language = "eql"
28license = "Elastic License v2"
29name = "ScreenConnect Server Spawning Suspicious Processes"
30references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
31risk_score = 73
32rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
33severity = "high"
34tags = [
35 "Domain: Endpoint",
36 "OS: Windows",
37 "Use Case: Threat Detection",
38 "Tactic: Initial Access",
39 "Tactic: Execution",
40 "Data Source: Elastic Endgame",
41 "Data Source: Elastic Defend",
42 "Data Source: Sysmon",
43 "Data Source: System",
44 "Data Source: Microsoft Defender for Endpoint",
45 "Data Source: SentinelOne",
46 "Data Source: Crowdstrike",
47 "Resources: Investigation Guide",
48]
49timestamp_override = "event.ingested"
50type = "eql"
51
52query = '''
53process where host.os.type == "windows" and event.type == "start" and
54 process.parent.name : "ScreenConnect.Service.exe" and
55 (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
56 ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
57'''
58note = """## Triage and analysis
59
60> **Disclaimer**:
61> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
62
63### Investigating ScreenConnect Server Spawning Suspicious Processes
64
65ScreenConnect, a remote support tool, allows administrators to control systems remotely. Adversaries may exploit this by executing unauthorized commands or scripts, potentially using it as a backdoor. The detection rule identifies unusual child processes like command shells spawned by the ScreenConnect service, signaling possible exploitation or web shell activity, thus aiding in early threat detection.
66
67### Possible investigation steps
68
69- Review the alert details to confirm the parent process is ScreenConnect.Service.exe and identify the suspicious child process name, such as cmd.exe or powershell.exe.
70- Check the timestamp of the process start event to determine when the suspicious activity occurred and correlate it with any other unusual activities or alerts around the same time.
71- Investigate the user account associated with the process to determine if it is a legitimate user or potentially compromised.
72- Examine the command line arguments of the spawned process to identify any malicious or unauthorized commands being executed.
73- Review network logs for any unusual outbound connections initiated by the ScreenConnect service or the suspicious child process, which may indicate data exfiltration or communication with a command and control server.
74- Analyze the system for any additional indicators of compromise, such as unexpected file modifications or the presence of web shells, to assess the extent of the potential breach.
75
76### False positive analysis
77
78- Legitimate administrative tasks using command shells or scripting tools like cmd.exe or powershell.exe may trigger the rule. To manage this, create exceptions for known administrative scripts or tasks that are regularly executed by trusted users.
79- Automated maintenance scripts that utilize ScreenConnect for legitimate purposes can be mistaken for suspicious activity. Identify these scripts and whitelist their execution paths or specific process names to prevent false alerts.
80- Software updates or installations that require command line execution through ScreenConnect might be flagged. Document these processes and exclude them from the rule by specifying the associated process names or hashes.
81- Security tools or monitoring solutions that interact with ScreenConnect for legitimate scanning or logging purposes may inadvertently trigger the rule. Verify these tools and add them to an exception list based on their process identifiers or parent-child process relationships.
82- Training or demonstration sessions using ScreenConnect to showcase command line features could be misinterpreted as threats. Schedule these sessions and temporarily adjust the rule sensitivity or disable it during the known timeframes to avoid false positives.
83
84### Response and remediation
85
86- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
87- Terminate any suspicious processes identified as being spawned by ScreenConnect.Service.exe, such as cmd.exe or powershell.exe, to halt any ongoing malicious activity.
88- Conduct a thorough review of recent ScreenConnect session logs to identify unauthorized access or unusual activity patterns, and revoke any compromised credentials.
89- Scan the affected system for additional indicators of compromise, such as web shells or other malware, using endpoint detection and response tools.
90- Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks.
91- Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts.
92- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation."""
93
94
95[[rule.threat]]
96framework = "MITRE ATT&CK"
97[[rule.threat.technique]]
98id = "T1190"
99name = "Exploit Public-Facing Application"
100reference = "https://attack.mitre.org/techniques/T1190/"
101
102
103[rule.threat.tactic]
104id = "TA0001"
105name = "Initial Access"
106reference = "https://attack.mitre.org/tactics/TA0001/"
107[[rule.threat]]
108framework = "MITRE ATT&CK"
109[[rule.threat.technique]]
110id = "T1059"
111name = "Command and Scripting Interpreter"
112reference = "https://attack.mitre.org/techniques/T1059/"
113[[rule.threat.technique.subtechnique]]
114id = "T1059.001"
115name = "PowerShell"
116reference = "https://attack.mitre.org/techniques/T1059/001/"
117
118[[rule.threat.technique.subtechnique]]
119id = "T1059.003"
120name = "Windows Command Shell"
121reference = "https://attack.mitre.org/techniques/T1059/003/"
122
123
124
125[rule.threat.tactic]
126id = "TA0002"
127name = "Execution"
128reference = "https://attack.mitre.org/tactics/TA0002/"
Triage and analysis
Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
Investigating ScreenConnect Server Spawning Suspicious Processes
ScreenConnect, a remote support tool, allows administrators to control systems remotely. Adversaries may exploit this by executing unauthorized commands or scripts, potentially using it as a backdoor. The detection rule identifies unusual child processes like command shells spawned by the ScreenConnect service, signaling possible exploitation or web shell activity, thus aiding in early threat detection.
Possible investigation steps
- Review the alert details to confirm the parent process is ScreenConnect.Service.exe and identify the suspicious child process name, such as cmd.exe or powershell.exe.
- Check the timestamp of the process start event to determine when the suspicious activity occurred and correlate it with any other unusual activities or alerts around the same time.
- Investigate the user account associated with the process to determine if it is a legitimate user or potentially compromised.
- Examine the command line arguments of the spawned process to identify any malicious or unauthorized commands being executed.
- Review network logs for any unusual outbound connections initiated by the ScreenConnect service or the suspicious child process, which may indicate data exfiltration or communication with a command and control server.
- Analyze the system for any additional indicators of compromise, such as unexpected file modifications or the presence of web shells, to assess the extent of the potential breach.
False positive analysis
- Legitimate administrative tasks using command shells or scripting tools like cmd.exe or powershell.exe may trigger the rule. To manage this, create exceptions for known administrative scripts or tasks that are regularly executed by trusted users.
- Automated maintenance scripts that utilize ScreenConnect for legitimate purposes can be mistaken for suspicious activity. Identify these scripts and whitelist their execution paths or specific process names to prevent false alerts.
- Software updates or installations that require command line execution through ScreenConnect might be flagged. Document these processes and exclude them from the rule by specifying the associated process names or hashes.
- Security tools or monitoring solutions that interact with ScreenConnect for legitimate scanning or logging purposes may inadvertently trigger the rule. Verify these tools and add them to an exception list based on their process identifiers or parent-child process relationships.
- Training or demonstration sessions using ScreenConnect to showcase command line features could be misinterpreted as threats. Schedule these sessions and temporarily adjust the rule sensitivity or disable it during the known timeframes to avoid false positives.
Response and remediation
- Isolate the affected system from the network to prevent further unauthorized access or lateral movement by the adversary.
- Terminate any suspicious processes identified as being spawned by ScreenConnect.Service.exe, such as cmd.exe or powershell.exe, to halt any ongoing malicious activity.
- Conduct a thorough review of recent ScreenConnect session logs to identify unauthorized access or unusual activity patterns, and revoke any compromised credentials.
- Scan the affected system for additional indicators of compromise, such as web shells or other malware, using endpoint detection and response tools.
- Apply security patches and updates to the ScreenConnect server and any other vulnerable applications to mitigate exploitation risks.
- Restore the system from a known good backup if evidence of compromise is confirmed, ensuring that the backup is free from malicious artifacts.
- Report the incident to the appropriate internal security team or external authorities if required, providing them with detailed findings and evidence for further investigation.
References
Related rules
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation
- Web Shell Detection: Script Process Child of Common Web Processes
- Suspicious MS Office Child Process
- Suspicious PDF Reader Child Process