ScreenConnect Forensics
Last updated
Last updated
Get a user to download an agent and enter the code to join session.
Or download the agent yourself and execute it on the victim workstation if you have access.
Once the executable is ran, you can join the session as the host from the web console.
ScreenConnect relay.
Once the session is established, we can execute all sorts of commands
Run executables
Transfer files
Run commands
Install Permenant Access (Most important for persistence).
We can see that the ScreenConnect instance is being run by the highly privileged
NT AUTHORITY\SYSTEM user.
If we run the command install access, this will permanently install the client on the victim machine and allow us access to it without them having to rejoin or enter any codes. This is ideal to stay persistent on a victim machine and also stay in an elevate privilege state.
Client session is now listed in access area of console.
Run commands in web portal terminal.
Once you're connected, the Applications logs will show what account has connected to this device. This will not show the source IP of the TA connection as the connection is brokered by ScreenConnects relay servers.
Application logs
Source: ScreenConnect
ScreenConnect relay.
User disconnected.
Regular client installation, not permanent. Event ID 7045 will appear for base ScreenConnect installations, a good indicator of when it was executed.
Permanent access installed. This will allow the TA persistent access to the host without the user having to enter any codes.
These executables can be built with the Build + button.
These will also make a service, creating another 7045 entry even if this is upgraded through a base install. Two 7045s will be present.
ScreenConnect.ClientSetup.exe can be used as evidence of ScreenConnect installing itself persistently.
ScreenConnect.ClientUninstall.vbs can be used as evidence of an uninstallation.
This will allow shell access to the victim host and the ability to run commands remotely. The length of each command run from the ScreenConnect shell will be recorded in the application IDs. This can be used to correlate the length of command lines with the length of commands recorded in Application event logs.
Length of "Dir" command = 3
Using the run tool command will execute any file that has been uploaded to the host. In this case, a cute picture of a wide gator will be shown (or ransomware!).
The upload and execution of this file can be seen in the Application logs.
Screen connect audit logs will record commands run and output of those commands, IPs and usernames of those logging into machines, and the user-agents of those connecting to sessions.
You can also generate reports based on types of logs you want to parse.
Go to Control Panel to reset the password of the Cloud Administrator Account.
Change password to prevent re-access of Cloud Administrator Account by the TA.
Revoking authenticated sessions can be used to terminate all active authentication sessions in the web portal. If SAML or Active Directory login is setup, it's a good idea to rotate those credentials in the case of compromised credentials.
Reset compromised user creds.
Revoke ConnectWise portal sessions.
Revoke ScreenConnect host session connections.
Disconnecting users from host connections can also be done to ensure the TA doesn't still have access to victim machines even after the first two recommendations are completed.
Users folder gets wiped and adds a new user for the TA to leverage.
C:\ScreenConnect/App_Data/User.xml
Users folder gets wiped and adds a new user for the TA to leverage.
C:\ScreenConnect/App_Data/User.xml
Look at SQLite DB on the on-prem server to see logs of what actions TA took while leveraging ScreenConnect.
Rollback host to recover wiped accounts
Update to latest version
Kill all sessions and reset any compromised passwords
Check for any left over users
