ScreenConnect Temporary Installation Artefact

calendar Oct 18, 2023 · attack.command_and_control attack.t1219  ·
Share on: linkedin copy

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Sigma rule (View on GitHub)

 1title: ScreenConnect Temporary Installation Artefact
 2id: fec96f39-988b-4586-b746-b93d59fd1922
 3status: test
 4description: |
 5    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 6    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 7    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
10author: frack113
11date: 2022/02/13
12tags:
13    - attack.command_and_control
14    - attack.t1219
15logsource:
16    category: file_event
17    product: windows
18detection:
19    selection:
20        TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
21    condition: selection
22falsepositives:
23    - Legitimate use
24level: medium

References

Related rules

to-top