← Back to SOC feed Coverage →

Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution

sigma MEDIUM SigmaHQ
T1219.002
imProcessCreate
This rule was pulled from an open-source repository and enriched with AI. Validate in a test environment before deploying to production.
View original rule at SigmaHQ →
Retrieved: 2026-05-18T23:00:00Z · Confidence: medium

Hunt Hypothesis

Detects potentially suspicious child processes launched via the ScreenConnect client service.

Detection Rule

Sigma (Original)

title: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
related:
    - id: d1a401ab-8c47-4e86-a7d8-2460b6a53e4a
      type: derived
status: test
description: |
    Detects potentially suspicious child processes launched via the ScreenConnect client service.
references:
    - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
    - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
date: 2022-02-25
modified: 2024-02-28
tags:
    - attack.command-and-control
    - attack.t1219.002
logsource:
    product: windows
    category: process_creation
detection:
    selection:
        ParentCommandLine|contains|all:
            - ':\Windows\TEMP\ScreenConnect\'
            - 'run.cmd'
        Image|endswith:
            - '\bitsadmin.exe'
            - '\cmd.exe'
            - '\curl.exe'
            - '\dllhost.exe'
            - '\net.exe'
            - '\nltest.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\rundll32.exe'
            - '\wevtutil.exe'
    condition: selection
falsepositives:
    - If the script being executed make use of any of the utilities mentioned in the detection then they should filtered out or allowed.
level: medium

KQL (Azure Sentinel)

imProcessCreate
| where (ActingProcessCommandLine contains ":\\Windows\\TEMP\\ScreenConnect\\" and ActingProcessCommandLine contains "run.cmd") and (TargetProcessName endswith "\\bitsadmin.exe" or TargetProcessName endswith "\\cmd.exe" or TargetProcessName endswith "\\curl.exe" or TargetProcessName endswith "\\dllhost.exe" or TargetProcessName endswith "\\net.exe" or TargetProcessName endswith "\\nltest.exe" or TargetProcessName endswith "\\powershell.exe" or TargetProcessName endswith "\\pwsh.exe" or TargetProcessName endswith "\\rundll32.exe" or TargetProcessName endswith "\\wevtutil.exe")

Required Data Sources

Sentinel TableNotes
imProcessCreateEnsure this data connector is enabled

False Positive Guidance

MITRE ATT&CK Context

References

Original source: https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml