Detectionhightest

Remote Access Tool - ScreenConnect Server Web Shell Execution

Detects potential web shell execution from the ScreenConnect server process.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Jason Rathbun (Blackpoint Cyber)Created Mon Feb 26b19146a3-25d4-41b4-928b-1e2a92641b1bwindows

Log Source

WindowsProcess Creation

ProductWindows← raw: windows

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection:
        ParentImage|endswith: '\ScreenConnect.Service.exe'
        Image|endswith:
            - '\cmd.exe'
            - '\csc.exe'
    condition: selection

False Positives

Unlikely

False positives are unlikely for most environments. High confidence detection.

References

MITRE ATT&CK

Tactics

TA0001 · Initial Access

Techniques

T1190 · Exploit Public-Facing Application

Rule Metadata

Rule ID

b19146a3-25d4-41b4-928b-1e2a92641b1b

Status

test

Level

high

Type

Detection

Created

Mon Feb 26

Author

Jason Rathbun (Blackpoint Cyber)

Path

rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_webshell.yml

Raw Tags

attack.initial-accessattack.t1190

View on GitHub