Remote Access Tool - ScreenConnect File Transfer
Detects file being transferred via ScreenConnect RMM
Sigma rule (View on GitHub)
1title: Remote Access Tool - ScreenConnect File Transfer
2id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
3related:
4 - id: b1f73849-6329-4069-bc8f-78a604bb8b23
5 type: similar
6status: test
7description: Detects file being transferred via ScreenConnect RMM
8references:
9 - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
10 - https://github.com/SigmaHQ/sigma/pull/4467
11author: Ali Alwashali
12date: 2023-10-10
13tags:
14 - attack.execution
15 - attack.t1059.003
16logsource:
17 service: application
18 product: windows
19detection:
20 selection:
21 Provider_Name: 'ScreenConnect'
22 EventID: 201
23 Data|contains: 'Transferred files with action'
24 condition: selection
25falsepositives:
26 - Legitimate use of ScreenConnect
27level: low
References
-
In this blog post, we will look into the traces left behind by the usage of ScreenConnect.
Read More -
Summary of the Pull Request Rules to detect ScreenConnect RMM tools activity Changelog new: Remote Access Tool - ScreenConnect Command Execution new: Remote Access Tool - ScreenConnect File Transfe...
Read More
Related rules
- Remote Access Tool - ScreenConnect Command Execution
- Remote Access Tool - ScreenConnect Temporary File
- AWS EC2 Startup Shell Script Change
- Command Line Execution with Suspicious URL and AppData Strings
- Conhost.exe CommandLine Path Traversal