title: ScreenConnect Backstage Mode Anomaly
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
status: experimental
references:
   - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
   - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
tags:
   - attack.command_and_control
   - attack.t1219
author: Florian Roth
date: 2022/02/25
logsource:
   product: windows
   category: process_creation
detection:
   selection:
      ParentImage|endswith: 'ScreenConnect.ClientService.exe'
      Image|endswith:
         - '\cmd.exe'
         - '\powershell.exe'
   condition: selection
falsepositives:
   - Case in which administrators are allowed to use ScreenConnect's Backstage mode
level: high