Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ScreenConnect rules #4467

Merged
merged 11 commits into from
Oct 5, 2023
Merged

ScreenConnect rules #4467

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
dae550d
Screenconnect: provider applicaiton
alwashali Oct 1, 2023
04a928d
ScreenConnect remote command execution
alwashali Oct 1, 2023
3f44b93
ScreenConnect remote binary execution
alwashali Oct 1, 2023
b0cad0d
Update win_app_remote_binary_execution.yaml
alwashali Oct 2, 2023
57c6dac
Update win_app_remote_command_execution.yaml
alwashali Oct 2, 2023
993876b
Update file_event_win_screenconnect_remote_tool_execution.yaml
alwashali Oct 2, 2023
94de111
Update proc_creation_win_screenconnect_remote_command_execution.yaml
alwashali Oct 2, 2023
06fccc2
chore: update positions
nasbench Oct 2, 2023
6f217c0
chore: rename
nasbench Oct 4, 2023
4eb16ab
chore: update metadata
nasbench Oct 4, 2023
b47e515
fix: wording
phantinuss Oct 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 3 additions & 2 deletions ...ltin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
title: Remote Access Tool - ScreenConnect Remote Tool Execution
title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: ScreenConnect RMM has feature to remotely execute binaries on a target machine.
description: Detects command execution via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
Expand Down
5 changes: 3 additions & 2 deletions ...tin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml
View file
Open in desktop
nasbench marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
title: Remote Access Tool - Remote Binary Execution
title: Remote Access Tool - ScreenConnect File Trasnfer
phantinuss marked this conversation as resolved.
Show resolved Hide resolved
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: ScreenConnect RMM has feature to remotely execute binaries on a target machine.
description: Detects file being trasnfered via ScreenConnect RMM
phantinuss marked this conversation as resolved.
Show resolved Hide resolved
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
Expand Down