sigmalowHunting

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.

MITRE ATT&CK

T1059.003

execution

Detection Query

selection:
  Image|endswith: \ScreenConnect.WindowsClient.exe
  TargetFilename|contains: \Documents\ConnectWiseControl\Temp\
condition: selection

Author

Ali Alwashali

Created

2023-10-10

Data Sources

windowsFile Events

Platforms

windows

References

https://github.com/SigmaHQ/sigma/pull/4467

Tags

attack.executionattack.t1059.003

Raw Content

title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
    - id: b1f73849-6329-4069-bc8f-78a604bb8b23
      type: similar
status: test
description: |
    Detects the creation of files in a specific location by ScreenConnect RMM.
    ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
    - https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
    - attack.execution
    - attack.t1059.003
logsource:
    category: file_event
    product: windows
detection:
    selection:
        Image|endswith: '\ScreenConnect.WindowsClient.exe'
        TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
    condition: selection
falsepositives:
    - Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low