Remote Access Tool - ScreenConnect Remote Command Execution - Hunting
Detects remote binary or command execution via the ScreenConnect Service. Use this rule in order to hunt for potentially anomalous executions originating from ScreenConnect
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
detection:
selection:
ParentImage|endswith: '\ScreenConnect.ClientService.exe'
condition: selectionLegitimate commands launched from ScreenConnect will also trigger this rule. Look for anomalies.
Tactics
Other
Remote Access Tool - ScreenConnect Remote Command Execution
Detects the execution of a system command via the ScreenConnect RMM service.
This rule was derived from the related rule - both detect similar activity with different scope.
Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution
Detects potentially suspicious child processes launched via the ScreenConnect client service.
This rule was derived from the related rule - both detect similar activity with different scope.