Remote Access Tool - ScreenConnect Backstage Mode Anomaly

Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode

Sigma rule (View on GitHub)

 1title: Remote Access Tool - ScreenConnect Backstage Mode Anomaly
 2id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
 3status: test
 4description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
 5references:
 6    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
 7    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
 8author: Florian Roth (Nextron Systems)
 9date: 2022/02/25
10modified: 2023/03/05
11tags:
12    - attack.command_and_control
13    - attack.t1219
14logsource:
15    product: windows
16    category: process_creation
17detection:
18    selection:
19        ParentImage|endswith: 'ScreenConnect.ClientService.exe'
20        Image|endswith:
21            - '\cmd.exe'
22            - '\powershell.exe'
23            - '\pwsh.exe'
24    condition: selection
25falsepositives:
26    - Case in which administrators are allowed to use ScreenConnect's Backstage mode
27level: high

References

Related rules

to-top