ScreenConnect
ScreenConnect is a tool designed for remote access, support, and meeting solutions.
App Artifacts
IoC | Observations | DFIR Relevance |
---|---|---|
Screenconnect service installed with a part of the name being randomly generated, such as “ScreenConnect Client (429d9ba6e9123fb4)” | source=system.evtx EventCode=7045 Message = “ScreenConnect Client (*)” |
Indicates potential unauthorized remote access software installation, often a sign of compromise or insider threat. |
A service running as SYSTEM was also recorded in a 4573 event in the Security Log indicating Sensitive Privilege Use (SeTcbPrivilege) | source=system.evtx EventCode=4573 Message = “ScreenConnect” AND Message = “SeTcbPrivilege” |
Reflects elevated privileges being used, potentially for malicious purposes, requiring investigation of service behavior. |
https://<username>.screenconnect.com/Bin/ScreenConnect.ClientSetup.exe?e=Access&y=Guest |
Review EDR/Sysmon commandlines, DNS events, and/or, Proxy Logs for URLs with a pattern like:http*.screenconnect.com/ Bin/ScreenConnect*.exe* |
Indicates downloading of remote access tools, which could be used for unauthorized access or data exfiltration. |
ScreenConnect.ClientService.exe |
Filename indicator useful for reviewing process execution events. | Signifies the execution of a ScreenConnect client service, essential to check for unauthorized remote control activities. |
ScreenConnect.WindowsClient.exe |
Filename indicator useful for reviewing process execution events. | Indicates running of ScreenConnect Windows client, important to verify for unsanctioned remote access. |
Cloud Account Administrator Connected | source=Application.evtx EventCode=100 Source=ScreenConnect Message=“Cloud Account Administrator Connected” |
Suggests remote access by a cloud account administrator, crucial for validating authorized access vs. account takeover. |
Cloud Account Administrator Disconnected | source=Application.evtx EventCode=101 Source=ScreenConnect Message=“Cloud Account Administrator Disconnected” |
Indicates disconnection of a cloud account admin, necessary for tracking session durations and potential unauthorized activities. |
C:\Users\<user>\Documents\ConnectWiseControl\Temp |
Execution of any PE from this directory indicates it was likely provided by the ScreenConnect host. | Execution from this directory could indicate malicious use of legitimate software for unauthorized actions. |
C:\Users\<user>\Documents\ConnectWiseControl\Files |
source=Application.evtx EventCode=201 Source=ScreenConnect Message=“transfer” |
File transfers via ScreenConnect could point to data exfiltration or unauthorized file access. |
powershell.exe -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -File C:\WINDOWS\TEMP\ScreenConnect\23.4.5.8571\f5955c63-3955-4c4a-ba98-672d4d6291eerun.ps1 |
Source=Microsoft-Windows-Powershell-Operational EventID 4103 Message=*ScreenConnect*.ps1* |
Execution of PowerShell scripts related to ScreenConnect could indicate automation of malicious activities or unauthorized changes. |
MITRE ATT&CK References
- T1219 - Remote Access Software: This technique involves the use of legitimate remote access software like ScreenConnect for command and control.
- Related sub-techniques…
- T1059 - Command and Scripting Interpreter: General technique for execution of commands and scripts.
- T1136 - Create Account: Creating new user accounts for persistent access.
- T1027 - Obfuscated Files or Information: If obfuscation was used in payloads.
- T1003 - OS Credential Dumping: For accessing credentials stored in the operating system.
Sigma Rules
- Access to Suspicious ScreenConnect URL: Monitoring for access to URLs matching the pattern of ScreenConnect can be crucial for early detection of unauthorized remote access attempts.