Link: ScreenConnect Installer With Suspicious Relay Domain
Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains.
Sublime rule (View on GitHub)
1name: "Link: ScreenConnect Installer With Suspicious Relay Domain"
2description: "Detects when a link leads to a ConnectWise ScreenConnect installer and references a relay domain that doesn't match sender or organizational domains."
3type: "rule"
4severity: "high"
5source: |
6 type.inbound
7 and any(body.links,
8 strings.ends_with(.href_url.url, ".exe")
9 and any(ml.link_analysis(., mode="aggressive").files_downloaded,
10 any(file.explode(.),
11 any(.scan.strings.strings,
12 strings.icontains(., "ScreenConnect")
13 )
14 and any(filter(.scan.strings.strings,
15 strings.icontains(., "h=") // relay domain
16 and strings.icontains(., "k=") // encoded encryption key
17 ),
18 any(regex.extract(., 'h=(?P<url>[^&]+)'),
19 strings.parse_url(strings.concat("https://",
20 .named_groups["url"]
21 )
22 ).domain.root_domain not in $org_domains
23 and strings.parse_url(strings.concat("https://",
24 .named_groups["url"]
25 )
26 ).domain.root_domain != sender.email.domain.root_domain
27 )
28 )
29 )
30 )
31 )
32 and not profile.by_sender_email().any_messages_benign
33
34attack_types:
35 - "Malware/Ransomware"
36tactics_and_techniques:
37 - "Evasion"
38 - "Out of band pivot"
39 - "Social engineering"
40detection_methods:
41 - "URL analysis"
42 - "File analysis"
43 - "Content analysis"
44id: "37d21eef-c45c-5348-b764-a6dc48261a91"