security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e91fc4486e57fc40e30d12253694de4c80a9e4ea
blue-team-tools/rules/windows/process_creation/proc_creation_win_screenconnect.yml
T
phantinuss 6ae28b7a1c fix: legitimate --> Legitimate
2022-03-16 14:35:19 +01:00

27 lines
1.2 KiB
YAML
Raw Blame History

title: Use of ScreenConnect Remote Access Software
id: 57bff678-25d1-4d6c-8211-8ca106d12053
status: experimental
description: |
An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-5---screenconnect-application-download-and-install-on-windows
author: frack113
date: 2022/02/13
logsource:
category: process_creation
product: windows
detection:
selection:
- Description: 'ScreenConnect Service'
- Product: 'ScreenConnect'
- Company: 'ScreenConnect Software'
condition: selection
falsepositives:
- Legitimate use
level: medium
tags:
- attack.command_and_control
- attack.t1219
Reference in New Issue View Git Blame Copy Permalink