Newly Observed ScreenConnect Host Server
editNewly Observed ScreenConnect Host Server
editDetects when the ScreenConnect client (ConnectWise Control) connects to a newly observed host server that is not the official ScreenConnect cloud. ScreenConnect is a common RMM/remote access tool abused for C2 and persistence. Self-hosted or non-standard relay servers may indicate abuse or compromise. The rule aggregates by server host (parsed from the client command line), requires first-time observation within the rule window, and limits to a single host to reduce noise.
Rule type: esql
Rule indices: None
Severity: high
Risk score: 73
Runs every: 6m
Searches indices from: now-5d (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Endpoint
- OS: Windows
- Use Case: Threat Detection
- Tactic: Command and Control
- Resources: Investigation Guide
- Data Source: Elastic Defend
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editTriage and analysis
Investigating Newly Observed ScreenConnect Host Server
ScreenConnect (ConnectWise Control) is legitimate RMM software often abused by threat actors for command-and-control and persistence. This rule fires when a host is seen connecting to a ScreenConnect server host that was not seen before (within the rule window) and that is not the official *.screenconnect.com cloud—surfacing self-hosted or non-standard relay servers that may indicate abuse.
Possible investigation steps
- Identify the host and user from the alert and confirm whether use of ScreenConnect is approved.
- Inspect the parsed ScreenConnect server host (Esql.screenconnect_server)—is it an internal host, a known vendor, or an unknown domain/IP?
- Review the process command line for the full connection parameters and any other suspicious options.
- Correlate with the companion rule "First Time Seen Remote Monitoring and Management Tool" for the same host.
- Check for other alerts on the host or user in the past 48 hours.
False positive analysis
- Legitimate use of self-hosted ScreenConnect/ConnectWise Control by IT or MSP will trigger; allowlist known relay servers by host or exception if appropriate.
- New deployments of on-prem ScreenConnect relays will appear as newly observed; validate with change management.
Response and remediation
- If unauthorized RMM use or an unknown relay is confirmed: isolate the host, remove or block the client, and investigate how the software was installed and who operates the server.
- Enforce policy that only approved RMM tools and approved relay servers may be used.
Rule query
editfrom logs-endpoint.events.process-* metadata _id, _version, _index
| where event.category == "process" and event.type == "start" and (process.name == "ScreenConnect.ClientService.exe" or process.code_signature.subject_name == "ConnectWise, LLC")
| grok process.command_line """e=Access&y=Guest&h=(?<Esql.screenconnect_server>[^&]+)&p"""
| where Esql.screenconnect_server is not null and not Esql.screenconnect_server like "*.screenconnect.com"
| stats Esql.count_distinct_host_id = count_distinct(host.id),
Esql.first_time_seen = min(@timestamp),
Esql.user_name_values = values(user.name),
Esql.command_line_values = values(process.command_line),
Esql.host_id_values = values(host.id),
Esql.host_name_values = values(host.name) by Esql.screenconnect_server
| eval Esql.recent = date_diff("minute", Esql.first_time_seen, now())
| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1
| eval host.id = mv_first(Esql.host_id_values),
host.name = mv_first(Esql.host_name_values),
process.command_line = mv_first(Esql.command_line_values)
| keep host.id, host.name, process.command_line, Esql.screenconnect_server
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
-
Technique:
- Name: Remote Access Tools
- ID: T1219
- Reference URL: https://attack.mitre.org/techniques/T1219/
-
Sub-technique:
- Name: Remote Desktop Software
- ID: T1219.002
- Reference URL: https://attack.mitre.org/techniques/T1219/002/