Remote Access Tool - ScreenConnect Command Execution
Detects command execution via ScreenConnect RMM
Sigma rule (View on GitHub)
1title: Remote Access Tool - ScreenConnect Command Execution
2id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
3related:
4 - id: b1f73849-6329-4069-bc8f-78a604bb8b23
5 type: similar
6status: test
7description: Detects command execution via ScreenConnect RMM
8references:
9 - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
10 - https://github.com/SigmaHQ/sigma/pull/4467
11author: Ali Alwashali
12date: 2023-10-10
13tags:
14 - attack.execution
15 - attack.t1059.003
16logsource:
17 service: application
18 product: windows
19detection:
20 selection:
21 Provider_Name: 'ScreenConnect'
22 EventID: 200
23 Data|contains: 'Executed command of length'
24 condition: selection
25falsepositives:
26 - Legitimate use of ScreenConnect
27level: low
References
-
In this blog post, we will look into the traces left behind by the usage of ScreenConnect.
Read More -
Summary of the Pull Request Rules to detect ScreenConnect RMM tools activity Changelog new: Remote Access Tool - ScreenConnect Command Execution new: Remote Access Tool - ScreenConnect File Transfe...
Read More
Related rules
- Remote Access Tool - ScreenConnect File Transfer
- Remote Access Tool - ScreenConnect Temporary File
- AWS EC2 Startup Shell Script Change
- Command Line Execution with Suspicious URL and AppData Strings
- Conhost.exe CommandLine Path Traversal