Skip to content

Added ScreenConnect event log artifacts. #38

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Added ScreenConnect event log artifacts. #38

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
1c0099f
Added ScreenConnect event log information and reference.
acgabbert Oct 8, 2024
d6c6525
removed unchanged tools
acgabbert Oct 8, 2024
2be0f8b
removed more unneeded files for PR
acgabbert Oct 8, 2024
cc9b51e
updated application events for screenconnect
acgabbert Nov 6, 2024
1a0ec3f
updated to single provider name for validation
acgabbert Nov 10, 2024
e9e9d28
Update screenconnect.yaml
nasbench Nov 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 19 additions & 4 deletions yaml/screenconnect.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ Description: ScreenConnect is a remote monitoring and management (RMM) tool. Mor
information will be added as it becomes available.
Author: Ali Alwashali, Nasreddine Bencherchali
Created: '2023-10-01'
LastModified: '2024-08-03'
LastModified: '2024-11-16'
Details:
Website: https://www.connectwise.com
PEMetadata:
Expand Down Expand Up @@ -33,9 +33,7 @@ Details:
InstallationPaths:
- C:\Program Files (x86)\ScreenConnect Client (Random)\ScreenConnect.ClientService.exe
- Remote Workforce Client.exe
- '*\*\ScreenConnect.ClientService.exe'
- C:\Program Files (x86)\ScreenConnect Client (<string ID>)\*
- '*\ScreenConnect Client*\*'
- '*\*\ScreenConnect.WindowsClient.exe'
- screenconnect*.exe
- screenconnect.windowsclient.exe
Expand All @@ -56,7 +54,23 @@ Artifacts:
- File: C:\ProgramData\ScreenConnect Client*\user.config
Description: ScreenConnect client user configuration
OS: Windows
EventLog: []
EventLog:
- EventID: 20
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: Logs network information (e.g. connection created successfully, connection attempt failed)
- EventID: 100
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: User connected
- EventID: 101
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: User disconnected
- EventID: 200
ProviderName: ScreenConnect
LogFile: Application.evtx
Data: Executed command on host
Comment on lines +58 to +73
Copy link
Member

@nasbench nasbench Nov 16, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just FYI the fields aren't standard but are related to the provider, so no "Service Name" for example because that's related to EID 7045.
In this case you need to provide the message that is shown in the event log in the data field or a specific field.

For me to evaluate this i need to see the logs. The blog that you linked in the reference doesn't contain refs to those EIDs. So please if you could provide the data for me to review that would be great.

Registry: []
Network:
- Description: Known remote domains
Expand All @@ -74,4 +88,5 @@ Detections:
Description: Detects potential processes activity of ScreenConnect RMM tool
References:
- https://thedfirreport.com/2023/09/25/from-screenconnect-to-hive-ransomware-in-61-hours/
- https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
Acknowledgement: []