{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/screenconnect/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":10,"id":"CVE-2024-1709"},{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["Elastic Defend","Microsoft Defender XDR","SentinelOne Cloud Funnel","ScreenConnect"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","defense-evasion","execution","persistence","screenconnect"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis threat brief focuses on the detection of suspicious activities related to the ScreenConnect remote access tool. ScreenConnect is a legitimate remote support software, but adversaries can exploit it to execute unauthorized commands on compromised systems. This detection identifies suspicious child processes spawned by ScreenConnect client processes, such as \u003ccode\u003eScreenConnect.ClientService.exe\u003c/code\u003e or \u003ccode\u003eScreenConnect.WindowsClient.exe\u003c/code\u003e, which can indicate malicious activities such as spawning PowerShell or cmd.exe with unusual arguments. This activity can indicate potential abuse of remote access capabilities, leading to data exfiltration, command and control communication, or the establishment of persistence mechanisms. Recent exploitation of CVE-2024-1709 and CVE-2024-1708 have highlighted the risk associated with ScreenConnect exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a system with ScreenConnect installed. This could be achieved through exploiting vulnerabilities like CVE-2024-1709 and CVE-2024-1708, or through credential compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker uses ScreenConnect to connect to the compromised system remotely.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the ScreenConnect interface to execute commands on the remote system.\u003c/li\u003e\n\u003cli\u003eThe attacker spawns a command interpreter, such as \u003ccode\u003ecmd.exe\u003c/code\u003e, using ScreenConnect. This process is a child process of the ScreenConnect client process.\u003c/li\u003e\n\u003cli\u003eThe attacker uses \u003ccode\u003ecmd.exe\u003c/code\u003e to execute malicious commands, such as downloading and executing a malicious payload.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker spawns \u003ccode\u003epowershell.exe\u003c/code\u003e with encoded commands or commands to download and execute malicious payloads from a remote server.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence by creating a scheduled task using \u003ccode\u003eschtasks.exe\u003c/code\u003e or creates a new service using \u003ccode\u003esc.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003enet.exe\u003c/code\u003e to modify user accounts or privileges to maintain access to the compromised system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized access to sensitive data, installation of malware, and establishment of persistent access to the compromised system. This can result in data theft, disruption of services, and further lateral movement within the network. The number of victims and specific sectors targeted varies depending on the attacker\u0026rsquo;s objectives, but the impact can be significant for organizations relying on ScreenConnect for remote support.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect suspicious child processes spawned by ScreenConnect and tune for your environment.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for ScreenConnect client processes spawning suspicious child processes like \u003ccode\u003epowershell.exe\u003c/code\u003e, \u003ccode\u003ecmd.exe\u003c/code\u003e, \u003ccode\u003enet.exe\u003c/code\u003e, \u003ccode\u003eschtasks.exe\u003c/code\u003e, \u003ccode\u003esc.exe\u003c/code\u003e, \u003ccode\u003erundll32.exe\u003c/code\u003e, \u003ccode\u003emshta.exe\u003c/code\u003e, \u003ccode\u003ecertutil.exe\u003c/code\u003e, \u003ccode\u003ewscript.exe\u003c/code\u003e, \u003ccode\u003ecscript.exe\u003c/code\u003e, \u003ccode\u003ecurl.exe\u003c/code\u003e, \u003ccode\u003essh.exe\u003c/code\u003e, \u003ccode\u003escp.exe\u003c/code\u003e, \u003ccode\u003ewevtutil.exe\u003c/code\u003e, \u003ccode\u003ewget.exe\u003c/code\u003e, or \u003ccode\u003ewmic.exe\u003c/code\u003e as detailed in the Sigma rules.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process-creation logging to capture the necessary process execution data to activate the rules above.\u003c/li\u003e\n\u003cli\u003eReview and revoke any unauthorized user accounts or privileges that may have been created or modified using tools like \u003ccode\u003enet.exe\u003c/code\u003e as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-05-16T16:10:00Z","date_published":"2024-05-16T16:10:00Z","id":"/briefs/2024-05-screenconnect-child-process/","summary":"This rule identifies suspicious child processes spawned by ScreenConnect client processes, potentially indicating unauthorized access and command execution abusing ScreenConnect remote access software to perform malicious activities such as data exfiltration or establishing persistence.","title":"Suspicious ScreenConnect Client Child Process Activity","url":"https://feed.craftedsignal.io/briefs/2024-05-screenconnect-child-process/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2024-1708"}],"_cs_exploited":false,"_cs_products":["ScreenConnect"],"_cs_severities":["critical"],"_cs_tags":["path-traversal","remote-code-execution","cve-2024-1708","connectwise"],"_cs_type":"advisory","_cs_vendors":["ConnectWise"],"content_html":"\u003cp\u003eCVE-2024-1708 is a critical path traversal vulnerability affecting ConnectWise ScreenConnect. This flaw could allow an unauthenticated attacker to execute remote code or directly access confidential data and critical systems. ConnectWise released security bulletin 23.9.8 to address this vulnerability. Given the potential for remote code execution and data compromise, this vulnerability poses a significant risk to organizations using ConnectWise ScreenConnect, potentially allowing full system takeover. CISA added this to their KEV catalog and recommends applying mitigations per vendor instructions, following BOD 22-01 guidance for cloud services, or discontinuing use of the product if mitigations are unavailable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a ConnectWise ScreenConnect server exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request containing a path traversal payload targeting a vulnerable endpoint within ScreenConnect. This payload is designed to bypass authentication checks.\u003c/li\u003e\n\u003cli\u003eThe ScreenConnect server processes the malicious request, and the path traversal vulnerability allows the attacker to access files outside of the intended webroot directory.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the file access to read sensitive configuration files, potentially containing credentials or other sensitive information.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker uploads a malicious executable (e.g., a web shell) to a writeable directory accessible via path traversal.\u003c/li\u003e\n\u003cli\u003eThe attacker executes the uploaded web shell, gaining remote code execution on the ScreenConnect server.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised ScreenConnect server as a pivot point to move laterally within the internal network, escalating privileges and compromising additional systems.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or deploys ransomware, disrupting business operations and causing significant financial damage.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2024-1708 can lead to complete compromise of ConnectWise ScreenConnect servers and potentially the entire network. Attackers could exfiltrate sensitive data, deploy ransomware, or use the compromised systems for lateral movement. Given the widespread use of ScreenConnect in MSP environments, a successful attack could impact numerous downstream clients, causing widespread disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the mitigations provided by ConnectWise in security bulletin 23.9.8 to patch CVE-2024-1708.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Suspicious ScreenConnect Path Traversal Attempts\u0026rdquo; to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious outbound connections originating from ScreenConnect servers, as this could indicate post-exploitation activity.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of ConnectWise ScreenConnect servers, following security best practices to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-04-29T12:00:00Z","date_published":"2024-04-29T12:00:00Z","id":"/briefs/2024-04-29-screenconnect-path-traversal/","summary":"CVE-2024-1708 is a path traversal vulnerability in ConnectWise ScreenConnect that could allow an attacker to execute remote code or directly impact confidential data and critical systems.","title":"ConnectWise ScreenConnect Path Traversal Vulnerability (CVE-2024-1708)","url":"https://feed.craftedsignal.io/briefs/2024-04-29-screenconnect-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","AteraAgent","AweSun","APC Admin","APC Host","BeyondTrust Remote Support","Bomgar","Remote Support","B4-Service","CagService","Domotz Agent","dwagsvc","DWRCC","FleetDeck Commander","GetScreen","GoToAssist","GoToResolve","ImperoClient","ImperoServer","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LMIIgnition","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMM","parsec","PService","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RCClient","RCService","RPCSuite","RustDesk","RemoteUtilities","saazapsc","ScreenConnect","Splashtop","Supremo","Syncro","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["remote-access-tool","command-and-control","rmm","windows"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows systems running multiple Remote Monitoring and Management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments might utilize several tools, the presence of multiple RMM solutions on a single host can signify a compromise, unauthorized software installation (shadow IT), or attackers establishing redundant access points. The rule maps process names to vendor labels to avoid inflated counts from multiple binaries of the same vendor. This activity has been observed as a component of broader attack campaigns, including those leveraging compromised MSP infrastructure, and is described in CISA AA23-025A. The timeframe analyzed is \u0026ldquo;now-9m\u0026rdquo;, and the rule triggers if two or more different vendors are detected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing, exploiting vulnerabilities, or stolen credentials.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool (e.g., AnyDesk, TeamViewer) for remote access and control.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by configuring the RMM tool to start automatically on system boot.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the initial access to discover other systems on the network.\u003c/li\u003e\n\u003cli\u003eAdditional RMM Deployment: The attacker deploys a second RMM tool (e.g., ScreenConnect, Splashtop) from a different vendor to create a redundant access method.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges using the compromised RMM tools, if necessary.\u003c/li\u003e\n\u003cli\u003eRemote Control: The attacker uses the RMM tools to remotely control the system, execute commands, and access sensitive data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration or Further Exploitation: The attacker exfiltrates sensitive data or uses the compromised system to launch further attacks on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack leveraging multiple RMM tools can result in unauthorized access to sensitive data, system compromise, and lateral movement within the network. The presence of multiple RMM tools increases the attacker\u0026rsquo;s resilience, making it harder to detect and remediate the intrusion. Affected systems can be used as a staging ground for further attacks, leading to significant financial and reputational damage. This can impact any Windows-based system, and the CISA advisory AA23-025A specifically highlights the risk of MSP infrastructure compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eMultiple RMM Vendors on Same Host\u003c/code\u003e to your SIEM and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate hosts triggering the rule to confirm legitimate use of multiple RMM tools. Check \u003ccode\u003eEsql.vendors_seen\u003c/code\u003e and \u003ccode\u003eEsql.processes_name_values\u003c/code\u003e for insight into the involved tools.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets to verify authorized RMM software installations.\u003c/li\u003e\n\u003cli\u003eIsolate any unauthorized or unexplained hosts and remove unapproved RMM tools.\u003c/li\u003e\n\u003cli\u003eEnforce a single approved RMM stack per asset class where possible.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon process creation logging (Event ID 1) on Windows endpoints to enhance detection capabilities as described in the rule\u0026rsquo;s setup instructions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-multiple-rmm-vendors/","summary":"This rule identifies Windows hosts where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-multiple-rmm-vendors/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["AeroAdmin","AnyDesk","Atera Agent","AweSun","APC Admin","APC Host","BeyondTrust","Remote Support","BarracudaRMM","Domotz Agent","DWService","FleetDeck Commander","GetScreen","GoTo","Impero Client","Impero Server","ISLLight","ISLLightClient","JumpCloud Agent","Level","LvAgent","LogMeIn","Lunixar","ManageEngine Remote Access Plus","MeshAgent","Mikogo","NinjaRMMAgent","NinjaRMMAgenPatcher","ninjarmm-cli","Parsec","Pulseway","Radmin","RealVNC","RemotePC","RemoteDesktopManager","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","SyncroLive","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"_cs_severities":["medium"],"_cs_tags":["command-and-control","rmm","windows","threat-detection"],"_cs_type":"advisory","_cs_vendors":["AeroAdmin","AnyDesk","Atera","AweSun","APC","BeyondTrust","BarracudaRMM","Domotz","DWService","FleetDeck","GetScreen","GoTo","Impero","ISLOnline","JumpCloud","Level","LogMeIn","Lunixar","ManageEngine","MeshCentral","Mikogo","NinjaOne","Parsec","Pulseway","Radmin","RealVNC","RemotePC","Devolutions","RPCSuite","RustDesk","RemoteUtilities","Kaseya","ScreenConnect","Splashtop","Supremo","TacticalRMM","Tailscale","TeamViewer","Tiflux","ToDesk","Twingate","TightVNC","UltraVNC","UltraViewer","AnyAssist","Velociraptor","ToolsIQ","ZohoAssist"],"content_html":"\u003cp\u003eThis detection rule identifies Windows hosts running multiple remote monitoring and management (RMM) tools from different vendors within an eight-minute timeframe. While legitimate MSP environments may utilize multiple tools, this activity can also indicate malicious behavior, such as an attacker establishing redundant access to a compromised system. The rule maps various RMM processes to vendor labels, ensuring that multiple binaries from the same vendor do not inflate the count. The processes monitored include popular RMM tools like TeamViewer, AnyDesk, ScreenConnect, and many others. This rule is designed to detect suspicious activity within the environment and alert security teams to potential compromises. The timeframe is set to eight minutes to reduce false positives.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: An attacker gains initial access to a Windows host, possibly through phishing or exploitation of a vulnerability.\u003c/li\u003e\n\u003cli\u003eTool Deployment: The attacker deploys an initial RMM tool for remote access and control.\u003c/li\u003e\n\u003cli\u003eSecondary Tool Deployment: The attacker deploys a second RMM tool from a different vendor to ensure redundant access in case the first tool is detected or removed.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The attacker escalates privileges to gain SYSTEM or Administrator rights, if necessary, to maintain persistent access and control.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the RMM tools to move laterally within the network to access additional systems and data.\u003c/li\u003e\n\u003cli\u003eData Exfiltration/Malicious Activity: The attacker uses the established RMM connections to exfiltrate sensitive data or perform other malicious activities such as deploying ransomware.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to unauthorized access to sensitive systems and data, potentially resulting in data breaches, financial loss, and reputational damage. This detection rule helps identify hosts that might be compromised by malicious actors utilizing multiple RMM tools for command and control. Identifying potentially compromised systems is key to preventing widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect multiple RMM tools running on the same host within an eight-minute window.\u003c/li\u003e\n\u003cli\u003eInvestigate systems triggering this alert by reviewing process execution logs and network connections to identify the source of the RMM tool installation.\u003c/li\u003e\n\u003cli\u003eEnforce a policy of a single approved RMM stack per asset class to minimize the risk of unauthorized RMM tool usage.\u003c/li\u003e\n\u003cli\u003eTune the provided Sigma rules with host or organizational unit exceptions for legitimate MSP/IT tooling environments.\u003c/li\u003e\n\u003cli\u003eReview asset inventory and change tickets for approved RMM software to identify unauthorized installations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-02-multiple-rmm-vendors/","summary":"This detection identifies a Windows host where two or more distinct remote monitoring and management (RMM) or remote-access tool vendors are observed starting processes within the same eight-minute window, potentially indicating compromise, shadow IT, or attacker staging of redundant access.","title":"Multiple Remote Management Tool Vendors on Same Host","url":"https://feed.craftedsignal.io/briefs/2024-01-02-multiple-rmm-vendors/"}],"language":"en","title":"CraftedSignal Threat Feed — ScreenConnect","version":"https://jsonfeed.org/version/1.1"}