Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.

WindowsFile Event

TA0002 · ExecutionT1059.003 · Windows Command Shell

Ali AlwashaliTue Oct 10windows

Detectionhightest

Disable Powershell Command History

Detects scripts or commands that disabled the Powershell command history by removing psreadline module

WindowsPowerShell Script

TA0005 · Defense EvasionT1070.003 · Clear Command History

Ali AlwashaliSun Aug 21windows

Detectionlowtest

Remote Access Tool - ScreenConnect Remote Command Execution

Detects the execution of a system command via the ScreenConnect RMM service.

WindowsProcess Creation

TA0002 · ExecutionT1059.003 · Windows Command Shell

Ali AlwashaliTue Oct 10windows

Threat Huntmediumtest

EventLog Query Requests By Builtin Utilities

Detect attempts to query the contents of the event log using command line utilities. Attackers use this technique in order to look for sensitive information in the logs such as passwords, usernames, IPs, etc.

WindowsProcess Creation

T1552 · Unsecured CredentialsTA0006 · Credential Accessdetection.threat-hunting

Ali Alwashali+1Mon Nov 20windows