Link: ScreenConnect installer with suspicious relay domain
Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains.
Sublime rule (View on GitHub)
1name: "Link: ScreenConnect installer with suspicious relay domain"
2description: "Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 strings.ends_with(.href_url.url, ".exe")
9 and any(ml.link_analysis(., mode="aggressive").files_downloaded,
10 any(file.explode(.),
11 any(.scan.strings.strings,
12 strings.icontains(., "ScreenConnect")
13 )
14 and any(filter(.scan.strings.strings,
15 strings.icontains(.,
16 "h="
17 ) // relay domain
18 and strings.icontains(.,
19 "k="
20 ) // encoded encryption key
21 ),
22 any(regex.extract(., 'h=(?P<url>[^&]+)'),
23 strings.parse_url(strings.concat("https://",
24 .named_groups["url"]
25 )
26 ).domain.root_domain not in $org_domains
27 and strings.parse_url(strings.concat("https://",
28 .named_groups["url"]
29 )
30 ).domain.root_domain != sender.email.domain.root_domain
31 )
32 )
33 )
34 )
35 )
36 and not profile.by_sender_email().any_messages_benign
37attack_types:
38 - "Malware/Ransomware"
39tactics_and_techniques:
40 - "Evasion"
41 - "Out of band pivot"
42 - "Social engineering"
43detection_methods:
44 - "URL analysis"
45 - "File analysis"
46 - "Content analysis"
47id: "37d21eef-c45c-5348-b764-a6dc48261a91"