Adversaries may use ScreenConnect to drop temporary files as part of remote execution tactics, leveraging the tool’s capability to execute binaries on target systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential remote code execution attempts masked by legitimate RMM activity.
Detection Rule
title: Remote Access Tool - ScreenConnect Temporary File
id: 0afecb6e-6223-4a82-99fb-bf5b981e92a5
related:
- id: b1f73849-6329-4069-bc8f-78a604bb8b23
type: similar
status: test
description: |
Detects the creation of files in a specific location by ScreenConnect RMM.
ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\<username>\Documents\ConnectWiseControl\Temp\" before execution.
references:
- https://github.com/SigmaHQ/sigma/pull/4467
author: Ali Alwashali
date: 2023-10-10
tags:
- attack.execution
- attack.t1059.003
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\ScreenConnect.WindowsClient.exe'
TargetFilename|contains: '\Documents\ConnectWiseControl\Temp\'
condition: selection
falsepositives:
- Legitimate use of ScreenConnect
# Note: Incase the level if ScreenConnect is not used
level: low
imFileEvent
| where TargetFilePath endswith "\\ScreenConnect.WindowsClient.exe" and TargetFileName contains "\\Documents\\ConnectWiseControl\\Temp\\"Scenario: Scheduled Maintenance Task Using ScreenConnect
Description: A system administrator uses ScreenConnect to schedule a maintenance task that involves creating temporary files on a remote machine as part of a routine system update or patching process.
Filter/Exclusion: Check the file creation context against known maintenance tasks or scheduled jobs (e.g., taskname contains “maintenance” or “patching”).
Scenario: Remote Execution of a Legitimate Script via ScreenConnect
Description: An IT team uses ScreenConnect to remotely execute a legitimate script (e.g., PowerShell, Python, or Batch) that temporarily creates files in the monitored directory as part of its operation.
Filter/Exclusion: Filter based on the file name or content (e.g., file_name contains “script_temp” or file_content matches a known script signature).
Scenario: Temporary File Creation During Software Deployment
Description: A deployment tool (e.g., Chocolatey, Ansible, or Puppet) uses ScreenConnect to deploy software, which involves creating temporary files in the monitored directory during installation.
Filter/Exclusion: Exclude files created by known deployment tools (e.g., file_name contains “choco” or “ansible_temp”).
Scenario: User-Initiated Remote Session with ScreenConnect
Description: A user initiates a remote session using ScreenConnect, and during the session, a temporary file is created as part of the session management or clipboard operations.
Filter/Exclusion: Exclude files created during active user sessions (e.g., process_name contains “ScreenConnect” and user_name is a known admin user).
Scenario: Log File Generation by ScreenConnect Services
Description: ScreenConnect services generate log files in the monitored directory as part of their normal operation, which could be