ScreenConnect rules

[alwashali]

Summary of the Pull Request

Rules to detect ScreenConnect RMM tools activity

Changelog

new: Remote Access Tool - ScreenConnect Command Execution
new: Remote Access Tool - ScreenConnect File Transfer
new: Remote Access Tool - ScreenConnect Temporary File
new: Remote Access Tool - ScreenConnect Remote Command Execution

Example Log Event

• Process Creation

Process Create:
RuleName: -
UtcTime: 2023-10-01 09:47:05.429
ProcessGuid: {43199d79-4019-6519-cd21-000000001400}
ProcessId: 11456
Image: C:\Windows\System32\whoami.exe
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: whoami - displays logged on user information
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: whoami.exe
CommandLine: whoami
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {43199d79-f8e8-6507-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=47D7864D26FC67E0D60391CBF170D33DA518C322,MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88
ParentProcessGuid: {43199d79-4019-6519-cc21-000000001400}
ParentProcessId: 1588
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
ParentUser: NT AUTHORITY\SYSTEM

Process Create:
RuleName: -
UtcTime: 2023-10-01 09:47:05.375
ProcessGuid: {43199d79-4019-6519-cc21-000000001400}
ProcessId: 1588
Image: C:\Windows\System32\cmd.exe
FileVersion: 10.0.17763.1697 (WinBuild.160101.0800)
Description: Windows Command Processor
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: Cmd.Exe
CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
CurrentDirectory: C:\Windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {43199d79-f8e8-6507-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=DED8FD7F36417F66EB6ADA10E0C0D7C0022986E9,MD5=911D039E71583A07320B32BDE22F8E22,SHA256=BC866CFCDDA37E24DC2634DC282C7A0E6F55209DA17A8FA105B07414C0E7C527,IMPHASH=272245E2988E1E430500B852C4FB5E18
ParentProcessGuid: {43199d79-3eb3-6519-5821-000000001400}
ParentProcessId: 2868
ParentImage: C:\Program Files (x86)\ScreenConnect Client (b6eba0cb8c0fe477)\ScreenConnect.ClientService.exe
ParentCommandLine: "C:\Program Files (x86)\ScreenConnect Client (b6eba0cb8c0fe477)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-dlzsak-relay.screenconnect.com&p=443&s=54831350-ec52-4358-835b-ff320422eda7&k=BgIAAACkAABSU0ExAAgAAAEAAQD9jWiqK9DiOa10jZWAon2023-10-01 09:47:05.375bm2023-10-01 09:47:05.375f1Wqf2ATSvzNvBc3izDZvJp0OLOagokmO1QQfKdOn08hfJhV97zSRpA5fNNDpIL8eNHn80ah7JBPWbW2023-10-01 09:47:05.375fDAu2023-10-01 09:47:05.375fV1WPwYJVvNIZVd4vNLztqu7jaMm8h1R2023-10-01 09:47:05.375bqY2023-10-01 09:47:05.375fVSUZ806y3Lz5DMz07DRJklcWv2023-10-01 09:47:05.375bMqJnA5nnE1fFjAV6w11MddayXKhYlmIhb055IV4QCWeupx3qq2023-10-01 09:47:05.375fZ9A9QbxYNvHAAIx1dOsxCOcC2023-10-01 09:47:05.375br1no1Anx7zKVFhl8FKfV8fdVLSHQDORSBWD2023-10-01 09:47:05.375f04y9Pyi5uFtefMPhQHWS5eAp4N9ay5YHmusdrLcOnnP08bpuFhwY14W9GB0ge2Gx&c=test4501&c=test4501.site&c=testing2868department&c=&c=&c=&c=&c="
ParentUser: NT AUTHORITY\SYSTEM

• File Create

File created:
RuleName: -
UtcTime: 2023-10-01 09:59:00.206
ProcessGuid: {43199d79-3eb4-6519-5921-000000001400}
ProcessId: 7684
Image: C:\Program Files (x86)\ScreenConnect Client (b6eba0cb8c0fe477)\ScreenConnect.WindowsClient.exe
TargetFilename: C:\Users\sam\Documents\ConnectWiseControl\Temp\MsgBoxEXE.exe
CreationUtcTime: 2023-10-01 09:59:00.206
User: HACKDEFENDLABS\sam

Process Create:
RuleName: -
UtcTime: 2023-10-01 09:59:00.635
ProcessGuid: {43199d79-42e4-6519-f721-000000001400}
ProcessId: 8588
Image: C:\Users\sam\Documents\ConnectWiseControl\Temp\MsgBoxEXE.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: "C:\Users\sam\Documents\ConnectWiseControl\Temp\MsgBoxEXE.exe" 
CurrentDirectory: C:\Users\sam\Documents\ConnectWiseControl\Temp\
User: HACKDEFENDLABS\sam
LogonGuid: {43199d79-fa62-6507-a9d7-270000000000}
LogonId: 0x27D7A9
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=BFCFCE9CEBB56C9850171DFF03B73588D0B07FB8,MD5=7F3AAD78D9023036188AC05AFEC4EE5E,SHA256=ED856E7E6CFEA63C030E50B501405C8BA5EE0ED6D6E03C48628B5AC69D28448E,IMPHASH=E2B7D6ABBF62F4427AA635EF6D7DB6C3
ParentProcessGuid: {43199d79-42e4-6519-f621-000000001400}
ParentProcessId: 9868
ParentImage: C:\Program Files (x86)\ScreenConnect Client (b6eba0cb8c0fe477)\ScreenConnect.WindowsClient.exe
ParentCommandLine: "C:\Program Files (x86)\ScreenConnect Client (b6eba0cb8c0fe477)\ScreenConnect.WindowsClient.exe" "RunFile" "C:\Users\sam\Documents\ConnectWiseControl\Temp\MsgBoxEXE.exe"
ParentUser: HACKDEFENDLABS\sam

• EID 200

• EID 201

Fixed Issues

N/A

SigmaHQ Rule Creation Conventions

• If your PR adds new rules, please consider following and applying these conventions

[frack113]

Hi,
I have make a quick view.
You can use https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/application/esent/win_esent_ntdsutil_abuse.yml as model to upgrade your 2 "application" rules.
You have to fix the logsource and the selection (you write an OR list).

Mitre tags are lowcase.

[alwashali]

Hello frack113

Thank you for checking the rules
I have made the changes, can you check please

[nasbench]

Hi @alwashali thanks for the contribution. Just have a couple of questions before we can merge these if you may :)

[nasbench]

@alwashali for the rules using the application logs. Can you post the log or screenshot of the details view. The General view has text that is often generated and not part of the log itself.