Detectionlowtest

Remote Access Tool - ScreenConnect Command Execution

Detects command execution via ScreenConnect RMM

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Ali AlwashaliCreated Tue Oct 10076ebe48-cc05-4d8f-9d41-89245cd93a14windows

Log Source

Windowsapplication

ProductWindows← raw: windows

Serviceapplication← raw: application

Detection Logic

detection:
    selection:
        Provider_Name: 'ScreenConnect'
        EventID: 200
        Data|contains: 'Executed command of length'
    condition: selection

False Positives

Legitimate use of ScreenConnect

References

MITRE ATT&CK

Tactics

TA0002 · Execution

Sub-techniques

T1059.003 · Windows Command Shell

Related Rules

SimilarDetectionlow

Remote Access Tool - ScreenConnect Remote Command Execution

Detects the execution of a system command via the ScreenConnect RMM service.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

076ebe48-cc05-4d8f-9d41-89245cd93a14

Status

test

Level

low

Type

Detection

Created

Tue Oct 10

Author

Ali Alwashali

Path

rules/windows/builtin/application/screenconnect/win_app_remote_access_tools_screenconnect_command_exec.yml

Raw Tags

attack.executionattack.t1059.003

View on GitHub