Techniques
Sample rules
Remote Access Tool - ScreenConnect Remote Command Execution
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects the execution of a system command via the ScreenConnect RMM service.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: \TEMP\ScreenConnect\
selection_img:
- Image|endswith: \cmd.exe
- OriginalFileName: Cmd.Exe
selection_parent:
ParentImage|endswith: \ScreenConnect.ClientService.exe