Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users<username>\Documents\ConnectWiseControl\Temp" before execution.
Detects instances of explorer.exe spawning cmd.exe along with corresponding start and
exit commands that we commonly observe in conjunction with a wide variety of malicious
activity. Part of the RedCanary 2023 Threat Detection Report.
Adversaries may abuse the Windows command shell for execution.
The Windows command shell (cmd) is the primary command prompt on Windows systems.
The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands.
Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops.
Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system
Detect run not allowed files. Applocker is a very useful tool, especially on servers where unprivileged users have access. For example terminal servers. You need configure applocker and log collect to receive these events.