Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionlowtest

Remote Access Tool - ScreenConnect Temporary File

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Ali AlwashaliCreated Tue Oct 100afecb6e-6223-4a82-99fb-bf5b981e92a5windows
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event

Events for file system activity including creation, modification, and deletion.

Detection Logic
Detection Logic1 selector
detection:
    selection:
        Image|endswith: '\ScreenConnect.WindowsClient.exe'
        TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
    condition: selection
False Positives

Legitimate use of ScreenConnect

References
1
Resolving title…
github.com
MITRE ATT&CK
Related Rules
SimilarDetectionlow

Remote Access Tool - ScreenConnect Remote Command Execution

Detects the execution of a system command via the ScreenConnect RMM service.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata
Rule ID
0afecb6e-6223-4a82-99fb-bf5b981e92a5
Status
test
Level
low
Type
Detection
Created
Tue Oct 10
Author
Ali Alwashali
Path
rules/windows/file/file_event/file_event_win_remote_access_tools_screenconnect_remote_file.yml
Raw Tags
attack.executionattack.t1059.003
View on GitHub