EXPLORE
Sign In
← Back to Explore
sigmahighHunting

Remote Access Tool - ScreenConnect Server Web Shell Execution

Detects potential web shell execution from the ScreenConnect server process.

MITRE ATT&CK

T1190
initial-access

Detection Query

selection:
  ParentImage|endswith: \ScreenConnect.Service.exe
  Image|endswith:
    - \cmd.exe
    - \csc.exe
condition: selection

Author

Jason Rathbun (Blackpoint Cyber)

Created

2024-02-26

Data Sources

windowsProcess Creation Events

Platforms

windows

References

Tags

attack.initial-accessattack.t1190
Raw Content
title: Remote Access Tool - ScreenConnect Server Web Shell Execution
id: b19146a3-25d4-41b4-928b-1e2a92641b1b
status: test
description: Detects potential web shell execution from the ScreenConnect server process.
references:
    - https://blackpointcyber.com/resources/blog/breaking-through-the-screen/
    - https://www.connectwise.com/company/trust/security-bulletins/connectwise-screenconnect-23.9.8
author: Jason Rathbun (Blackpoint Cyber)
date: 2024-02-26
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\csc.exe'
    condition: selection
falsepositives:
    - Unlikely
level: high