Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ScreenConnect rules #4467

Merged
merged 11 commits into from
Oct 5, 2023
Merged

ScreenConnect rules #4467

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
dae550d
Screenconnect: provider applicaiton
alwashali Oct 1, 2023
04a928d
ScreenConnect remote command execution
alwashali Oct 1, 2023
3f44b93
ScreenConnect remote binary execution
alwashali Oct 1, 2023
b0cad0d
Update win_app_remote_binary_execution.yaml
alwashali Oct 2, 2023
57c6dac
Update win_app_remote_command_execution.yaml
alwashali Oct 2, 2023
993876b
Update file_event_win_screenconnect_remote_tool_execution.yaml
alwashali Oct 2, 2023
94de111
Update proc_creation_win_screenconnect_remote_command_execution.yaml
alwashali Oct 2, 2023
06fccc2
chore: update positions
nasbench Oct 2, 2023
6f217c0
chore: rename
nasbench Oct 4, 2023
4eb16ab
chore: update metadata
nasbench Oct 4, 2023
b47e515
fix: wording
phantinuss Oct 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
27 changes: 27 additions & 0 deletions ...ltin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: Remote Access Tool - ScreenConnect Command Execution
id: 076ebe48-cc05-4d8f-9d41-89245cd93a14
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: Detects command execution via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 200
Data|contains: 'Executed command of length'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
27 changes: 27 additions & 0 deletions ...tin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml
View file
Open in desktop
nasbench marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: Remote Access Tool - ScreenConnect File Transfer
id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: Detects file being transferred via ScreenConnect RMM
references:
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
service: application
product: windows
detection:
selection:
Provider_Name: 'ScreenConnect'
EventID: 201
Data|contains: 'Transferred files with action'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low
27 changes: 27 additions & 0 deletions .../windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: experimental
description: |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ScreenConnect.WindowsClient.exe'
TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
level: low # Incrase the level if screenconnect is not used
28 changes: 28 additions & 0 deletions ...dows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
title: Remote Access Tool - ScreenConnect Remote Command Execution
id: b1f73849-6329-4069-bc8f-78a604bb8b23
status: experimental
description: Detects the execution of a system command via the ScreenConnect RMM service.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023/10/10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
selection_img:
- Image|endswith: '\cmd.exe'
- OriginalFileName: 'Cmd.Exe'
selection_cli:
# Example:
# CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd"
CommandLine|contains: '\TEMP\ScreenConnect\'
condition: all of selection_*
falsepositives:
- Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used.
level: medium