ScreenConnect Server Spawning Suspicious Processes
The ScreenConnect server is spawning suspicious processes such as cmd.exe and powershell.exe, potentially indicating exploitation or web shell activity leading to unauthorized access and control over the system.
This detection identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). ScreenConnect is a remote support tool that, when compromised, can allow adversaries to execute unauthorized commands or scripts. This activity may indicate exploitation of a ScreenConnect server vulnerability or access to an existing web shell backdoor. The detection focuses on identifying unusual child processes like command shells spawned by the ScreenConnect service, signaling possible exploitation or web shell activity. The rule is designed to catch activity related to initial access (T1190) and execution (T1059) using command and scripting interpreters like PowerShell (T1059.001) and Windows Command Shell (T1059.003).
Attack Chain
- The attacker exploits a vulnerability in the ScreenConnect server (T1190) to gain initial access.
- A web shell is deployed on the ScreenConnect server (T1505.003), providing a persistent backdoor.
- The attacker interacts with the web shell to execute commands on the server.
- The ScreenConnect service spawns a command shell (cmd.exe) or PowerShell process (powershell.exe) (T1059).
- The attacker uses the command shell or PowerShell to perform reconnaissance on the network.
- The attacker attempts to escalate privileges on the compromised system.
- The attacker uses the compromised system to move laterally within the network.
- The attacker achieves their final objective, such as data exfiltration or ransomware deployment.
Impact
A successful exploitation of the ScreenConnect server can lead to unauthorized access and control over the system. This can result in data theft, malware deployment, or further lateral movement within the network. The compromised server can also be used as a launchpad for attacks against other internal systems, causing widespread disruption and damage. If successful, attackers can maintain persistent access and control over critical systems.
Recommendation
- Deploy the Sigma rule "ScreenConnect Server Spawning Suspicious Processes" to your SIEM to detect suspicious child processes of ScreenConnect.Service.exe, tuning for known-good administrative activity.
- Review ScreenConnect session logs for unauthorized access or unusual activity patterns as mentioned in the overview.
- Apply security patches and updates to the ScreenConnect server and any other vulnerable applications as part of the remediation strategy.
- Enable Sysmon process creation logging to capture the necessary events for the Sigma rule "ScreenConnect Server Spawning Suspicious Processes".
- Investigate any alerts generated by the Sigma rule "ScreenConnect Server Spawning Suspicious Processes" to determine the extent of the compromise.
Detection coverage 2
ScreenConnect Server Spawning Suspicious Processes
highDetects suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe).
ScreenConnect Suspicious Process PE File Name
highDetects suspicious processes with certain PE file names being spawned by the ScreenConnect server process (ScreenConnect.Service.exe).
Detection queries are available on the platform. Get full rules →