-
-
Notifications
You must be signed in to change notification settings - Fork 2.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge PR #4467 from @alwashali - New Rules Related To ScreenConnect R…
…MM Activity new: Remote Access Tool - ScreenConnect Command Execution new: Remote Access Tool - ScreenConnect File Transfer new: Remote Access Tool - ScreenConnect Temporary File new: Remote Access Tool - ScreenConnect Remote Command Execution --------- Co-authored-by: Nasreddine Bencherchali <[email protected]> Co-authored-by: phantinuss <[email protected]>
- Loading branch information
3 people
authored
Oct 5, 2023
1 parent
a7fc610
commit 6075db0
Showing
4 changed files
with
109 additions
and
0 deletions.
There are no files selected for viewing
27 changes: 27 additions & 0 deletions
27
...ltin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| title: Remote Access Tool - ScreenConnect Command Execution | ||
| id: 076ebe48-cc05-4d8f-9d41-89245cd93a14 | ||
| related: | ||
| - id: b1f73849-6329-4069-bc8f-78a604bb8b23 | ||
| type: similar | ||
| status: experimental | ||
| description: Detects command execution via ScreenConnect RMM | ||
| references: | ||
| - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling | ||
| - https://github.com/SigmaHQ/sigma/pull/4467 | ||
| author: Ali Alwashali | ||
| date: 2023/10/10 | ||
| tags: | ||
| - attack.execution | ||
| - attack.t1059.003 | ||
| logsource: | ||
| service: application | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| Provider_Name: 'ScreenConnect' | ||
| EventID: 200 | ||
| Data|contains: 'Executed command of length' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of ScreenConnect | ||
| level: low |
27 changes: 27 additions & 0 deletions
27
...tin/application/screenconnect/win_app_remote_access_tools_screenconnect_file_transfer.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| title: Remote Access Tool - ScreenConnect File Transfer | ||
| id: 5d19eb78-5b5b-4ef2-a9f0-4bfa94d58a13 | ||
| related: | ||
| - id: b1f73849-6329-4069-bc8f-78a604bb8b23 | ||
| type: similar | ||
| status: experimental | ||
| description: Detects file being transferred via ScreenConnect RMM | ||
| references: | ||
| - https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling | ||
| - https://github.com/SigmaHQ/sigma/pull/4467 | ||
| author: Ali Alwashali | ||
| date: 2023/10/10 | ||
| tags: | ||
| - attack.execution | ||
| - attack.t1059.003 | ||
| logsource: | ||
| service: application | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| Provider_Name: 'ScreenConnect' | ||
| EventID: 201 | ||
| Data|contains: 'Transferred files with action' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of ScreenConnect | ||
| level: low |
27 changes: 27 additions & 0 deletions
27
.../windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| title: Remote Access Tool - ScreenConnect Temporary File | ||
| id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5 | ||
| related: | ||
| - id: b1f73849-6329-4069-bc8f-78a604bb8b23 | ||
| type: similar | ||
| status: experimental | ||
| description: | | ||
| Detects the creation of files in a specific location by ScreenConnect RMM. | ||
| ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution. | ||
| references: | ||
| - https://github.com/SigmaHQ/sigma/pull/4467 | ||
| author: Ali Alwashali | ||
| date: 2023/10/10 | ||
| tags: | ||
| - attack.execution | ||
| - attack.t1059.003 | ||
| logsource: | ||
| category: file_event | ||
| product: windows | ||
| detection: | ||
| selection: | ||
| Image|endswith: '\ScreenConnect.WindowsClient.exe' | ||
| TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\' | ||
| condition: selection | ||
| falsepositives: | ||
| - Legitimate use of ScreenConnect | ||
| level: low # Incrase the level if screenconnect is not used |
28 changes: 28 additions & 0 deletions
28
...dows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_exec.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| title: Remote Access Tool - ScreenConnect Remote Command Execution | ||
| id: b1f73849-6329-4069-bc8f-78a604bb8b23 | ||
| status: experimental | ||
| description: Detects the execution of a system command via the ScreenConnect RMM service. | ||
| references: | ||
| - https://github.com/SigmaHQ/sigma/pull/4467 | ||
| author: Ali Alwashali | ||
| date: 2023/10/10 | ||
| tags: | ||
| - attack.execution | ||
| - attack.t1059.003 | ||
| logsource: | ||
| category: process_creation | ||
| product: windows | ||
| detection: | ||
| selection_parent: | ||
| ParentImage|endswith: '\ScreenConnect.ClientService.exe' | ||
| selection_img: | ||
| - Image|endswith: '\cmd.exe' | ||
| - OriginalFileName: 'Cmd.Exe' | ||
| selection_cli: | ||
| # Example: | ||
| # CommandLine: "cmd.exe" /c "C:\Windows\TEMP\ScreenConnect\23.6.8.8644\3c41d689-bbf5-4216-b2f4-ba8fd6192c25run.cmd" | ||
| CommandLine|contains: '\TEMP\ScreenConnect\' | ||
| condition: all of selection_* | ||
| falsepositives: | ||
| - Legitimate use of ScreenConnect. Disable this rule if ScreenConnect is heavily used. | ||
| level: medium |