Techniques
Sample rules
Remote Access Tool - ScreenConnect Temporary File
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to “:\Users<username>\Documents\ConnectWiseControl\Temp" before execution.
Detection logic
condition: selection
selection:
Image|endswith: \ScreenConnect.WindowsClient.exe
TargetFilename|contains: \Documents\ConnectWiseControl\Temp\
Remote Access Tool - ScreenConnect File Transfer
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects file being transferred via ScreenConnect RMM
Detection logic
condition: selection
selection:
Data|contains: Transferred files with action
EventID: 201
Provider_Name: ScreenConnect
Remote Access Tool - ScreenConnect Command Execution
- source: sigma
- technicques:
- t1059
- t1059.003
Description
Detects command execution via ScreenConnect RMM
Detection logic
condition: selection
selection:
Data|contains: Executed command of length
EventID: 200
Provider_Name: ScreenConnect