[metadata] creation_date = "2024/03/26" integration = ["endpoint", "windows"] maturity = "production" updated_date = "2024/05/21" [rule] author = ["Elastic"] description = """ Identifies suspicious processes being spawned by the ScreenConnect server process (ScreenConnect.Service.exe). This activity may indicate exploitation activity or access to an existing web shell backdoor. """ from = "now-9m" index = [ "logs-endpoint.events.process-*", "winlogbeat-*", "logs-windows.sysmon_operational-*", "logs-system.security*", "endgame-*", ] language = "eql" license = "Elastic License v2" name = "ScreenConnect Server Spawning Suspicious Processes" references = ["https://blackpointcyber.com/resources/blog/breaking-through-the-screen/"] risk_score = 73 rule_id = "3d00feab-e203-4acc-a463-c3e15b7e9a73" severity = "high" tags = [ "Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Initial Access", "Tactic: Execution", "Data Source: Elastic Endgame", "Data Source: Elastic Defend", "Data Source: Sysmon", ] timestamp_override = "event.ingested" type = "eql" query = ''' process where host.os.type == "windows" and event.type == "start" and process.parent.name : "ScreenConnect.Service.exe" and (process.name : ("cmd.exe", "powershell.exe", "pwsh.exe", "powershell_ise.exe", "csc.exe") or ?process.pe.original_file_name in ("cmd.exe", "powershell.exe", "pwsh.dll", "powershell_ise.exe")) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1190" name = "Exploit Public-Facing Application" reference = "https://attack.mitre.org/techniques/T1190/" [rule.threat.tactic] id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] id = "T1059" name = "Command and Scripting Interpreter" reference = "https://attack.mitre.org/techniques/T1059/" [[rule.threat.technique.subtechnique]] id = "T1059.001" name = "PowerShell" reference = "https://attack.mitre.org/techniques/T1059/001/" [[rule.threat.technique.subtechnique]] id = "T1059.003" name = "Windows Command Shell" reference = "https://attack.mitre.org/techniques/T1059/003/" [rule.threat.tactic] id = "TA0002" name = "Execution" reference = "https://attack.mitre.org/tactics/TA0002/"