Remote Access Tool - ScreenConnect Remote Command Execution - Hunting | Community Portal

Date: 01/07/2025

Severity: Medium

Summary

Detects the remote execution of binaries or commands through the ScreenConnect Service. This rule can be used to hunt for potentially unusual activities initiated via ScreenConnect.

Indicators of Compromise (IOC) List

ParentImage :

'\ScreenConnect.ClientService.exe'

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query :	(resourcename = "Windows Security" and eventtype = "4688" ) AND parentprocessname like "\ScreenConnect.ClientService.exe"
Detection Query :	(technologygroup = "EDR" ) AND parentprocessname like "\ScreenConnect.ClientService.exe"

Reference:

https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_child_proc.yml

Remote Access Tool - ScreenConnect Remote Command Execution - Hunting

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

Remote Access Tool - ScreenConnect Remote Command Execution - Hunting

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments