Adversaries may leverage ScreenConnect temporary installation artifacts to establish a covert C2 channel by deploying legitimate remote access tools. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential compromise of endpoint systems using T1219.002 techniques.
Detection Rule
title: ScreenConnect Temporary Installation Artefact
id: fec96f39-988b-4586-b746-b93d59fd1922
status: test
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022-02-13
tags:
- attack.command-and-control
- attack.t1219.002
logsource:
category: file_event
product: windows
detection:
selection:
TargetFilename|contains: '\Bin\ScreenConnect.' # pattern to dll and jar file
condition: selection
falsepositives:
- Legitimate use
level: medium
imFileEvent
| where TargetFileName contains "\\Bin\\ScreenConnect."Scenario: IT Department Installs ScreenConnect for Remote Support
Description: The IT team legitimately installs ScreenConnect to provide remote support to end-users.
Filter/Exclusion: Check for installation by known IT admin accounts (e.g., ITSupport, HelpDesk) or use a filter like:
process.parent_process.name == "msiexec.exe" AND process.command_line LIKE "%ScreenConnect%" AND user.account_name IN ("ITSupport", "HelpDesk")Scenario: Scheduled Job for Software Updates
Description: A scheduled task runs to update or patch ScreenConnect on multiple endpoints as part of routine maintenance.
Filter/Exclusion: Filter by process name schtasks.exe or use a rule like:
process.name == "schtasks.exe" AND process.command_line LIKE "/create /xml" AND file.name == "ScreenConnectUpdate.xml"Scenario: Temporary Installation for a Specific Support Request
Description: A support technician installs ScreenConnect temporarily to assist a user with a specific issue and removes it afterward.
Filter/Exclusion: Monitor for short-lived processes or use a filter like:
process.name == "ScreenConnect.exe" AND event_id == 1006 AND timestamp < (current_time - 1 hour)Scenario: Software Deployment via Group Policy
Description: ScreenConnect is deployed via Group Policy to a subset of users or devices for remote access purposes.
Filter/Exclusion: Use a filter based on the source of the installation, such as:
process.parent_process.name == "gpupdate.exe" AND file.name == "ScreenConnect.msi"Scenario: Admin Task to Configure Remote Access Tools
*Description