LoFP / if the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.

Techniques

t1219

Sample rules

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

source: sigma
technicques:
- t1219

Description

Detects potentially suspicious child processes launched via the ScreenConnect client service.

Detection logic

condition: selection
selection:
  Image|endswith:
  - \bitsadmin.exe
  - \cmd.exe
  - \curl.exe
  - \dllhost.exe
  - \net.exe
  - \nltest.exe
  - \powershell.exe
  - \pwsh.exe
  - \rundll32.exe
  - \wevtutil.exe
  ParentCommandLine|contains|all:
  - :\Windows\TEMP\ScreenConnect\
  - run.cmd