Suspicious ScreenConnect Client Child Process Activity

This threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as ScreenConnect.ClientService.exe or ScreenConnect.WindowsClient.exe, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.

Attack Chain

1. The attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.
2. The attacker uses ScreenConnect to connect to the compromised system remotely.
3. The attacker uses the ScreenConnect interface to execute commands on the remote system.
4. The attacker spawns a command interpreter, such as cmd.exe, using ScreenConnect. This process is a child process of the ScreenConnect client process.
5. The attacker uses cmd.exe to execute malicious commands, such as downloading and executing a malicious payload.
6. Alternatively, the attacker spawns powershell.exe with encoded commands or commands to download and execute malicious payloads from a remote server.
7. The attacker establishes persistence by creating a scheduled task using schtasks.exe or creates a new service using sc.exe.
8. The attacker uses tools like net.exe to modify user accounts or privileges to maintain access to the compromised system.

Impact

Successful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker’s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.

Recommendation

• Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.
• Monitor process creation events for ScreenConnect client processes spawning suspicious child processes like powershell.exe, cmd.exe, net.exe, schtasks.exe, sc.exe, rundll32.exe, mshta.exe, certutil.exe, wscript.exe, cscript.exe, curl.exe, ssh.exe, scp.exe, wevtutil.exe, wget.exe, or wmic.exe as detailed in the Sigma rules.
• Enable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.
• Review and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like net.exe as described in the attack chain.