ScreenConnect Server Spawning Suspicious Processes
Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2024/03/26"
3integration = ["endpoint", "windows", "system", "m365_defender", "sentinel_one_cloud_funnel"]
4maturity = "production"
5updated_date = "2024/10/10"
6min_stack_version = "8.13.0"
7min_stack_comments = "Breaking change at 8.13.0 for SentinelOne Integration."
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This
13activity may indicate exploitation activity or access to an existing web shell backdoor.
14"""
15from = "now-9m"
16index = [
17 "logs-endpoint.events.process-*",
18 "winlogbeat-*",
19 "logs-windows.forwarded*",
20 "logs-windows.sysmon_operational-*",
21 "endgame-*",
22 "logs-system.security*",
23 "logs-m365_defender.event-*",
24 "logs-sentinel_one_cloud_funnel.*",
25]
26language = "eql"
27license = "Elastic License v2"
28name = "ScreenConnect Server Spawning Suspicious Processes"
29references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"]
30risk_score = 73
31rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73"
32severity = "high"
33tags = [
34 "Domain: Endpoint",
35 "OS: Windows",
36 "Use Case: Threat Detection",
37 "Tactic: Initial Access",
38 "Tactic: Execution",
39 "Data Source: Elastic Endgame",
40 "Data Source: Elastic Defend",
41 "Data Source: Sysmon",
42 "Data Source: System",
43 "Data Source: Microsoft Defender for Endpoint",
44 "Data Source: SentinelOne",
45]
46timestamp_override = "event.ingested"
47type = "eql"
48
49query = '''
50process where host.os.type == "windows" and event.type == "start" and
51 process.parent.name : "ScreenConnect.Service.exe" and
52 (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or
53 ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe"))
54'''
55
56
57[[rule.threat]]
58framework = "MITRE ATT&CK"
59[[rule.threat.technique]]
60id = "T1190"
61name = "Exploit Public-Facing Application"
62reference = "https://attack.mitre.org/techniques/T1190/"
63
64
65[rule.threat.tactic]
66id = "TA0001"
67name = "Initial Access"
68reference = "https://attack.mitre.org/tactics/TA0001/"
69[[rule.threat]]
70framework = "MITRE ATT&CK"
71[[rule.threat.technique]]
72id = "T1059"
73name = "Command and Scripting Interpreter"
74reference = "https://attack.mitre.org/techniques/T1059/"
75[[rule.threat.technique.subtechnique]]
76id = "T1059.001"
77name = "PowerShell"
78reference = "https://attack.mitre.org/techniques/T1059/001/"
79
80[[rule.threat.technique.subtechnique]]
81id = "T1059.003"
82name = "Windows Command Shell"
83reference = "https://attack.mitre.org/techniques/T1059/003/"
84
85
86
87[rule.threat.tactic]
88id = "TA0002"
89name = "Execution"
90reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Suspicious MS Office Child Process
- Suspicious PDF Reader Child Process
- Command Execution via SolarWinds Process
- Potential Foxmail Exploitation
- Microsoft Exchange Server UM Spawning Suspicious Processes