Florian Roth
26 lines
908 B
YAML
26 lines
908 B
YAML
title: ScreenConnect Backstage Mode Anomaly
|
|
id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5
|
|
description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode
|
|
status: experimental
|
|
references:
|
|
- https://www.mandiant.com/resources/telegram-malware-iranian-espionage
|
|
- https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
|
|
tags:
|
|
- attack.command_and_control
|
|
- attack.t1219
|
|
author: Florian Roth
|
|
date: 2022/02/25
|
|
logsource:
|
|
product: windows
|
|
category: process_creation
|
|
detection:
|
|
selection:
|
|
ParentImage|endswith: 'ScreenConnect.ClientService.exe'
|
|
Image|endswith:
|
|
- '\cmd.exe'
|
|
- '\powershell.exe'
|
|
condition: selection
|
|
falsepositives:
|
|
- Case in which administrators are allowed to use ScreenConnect's Backstage mode
|
|
level: high
|