Remote Access Tool - ScreenConnect Server Web Shell Execution
Detects potential web shell execution from the ScreenConnect server process.
Sigma rule (View on GitHub)
1title: Remote Access Tool - ScreenConnect Server Web Shell Execution
2id: b19146a3-25d4-41b4-928b-1e2a92641b1b
3status: experimental
4description: Detects potential web shell execution from the ScreenConnect server process.
5references:
6 - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
7 - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
8author: Jason Rathbun (Blackpoint Cyber)
9date: 2024/02/26
10tags:
11 - attack.initial_access
12 - attack.t1190
13logsource:
14 product: windows
15 category: process_creation
16detection:
17 selection:
18 ParentImage|endswith: '\ScreenConnect.Service.exe'
19 Image|endswith:
20 - '\cmd.exe'
21 - '\csc.exe'
22 condition: selection
23falsepositives:
24 - Unlikely
25level: high
References
-
Read a blog from our threat research team on the ConnectWise vulnerabilities, exploitation process, and how to detect these tactics.
Read More -
We've received notifications of suspicious activity that our incident response team has investigated.
Read More
Related rules
- Exchange Webshell creation
- Potential CVE-2021-27905 Exploitation Attempt
- Suspicious Processes Spawned by WinRM
- Potential CVE-2022-21587 Exploitation Attempt
- Potential CVE-2023-23752 Exploitation Attempt