📘
DFIR
  • Networking
    • Networking
      • SDWAN
      • VLANs
      • Virtual Networking
      • Segmentation
      • Applications
        • PAM/SSO
          • Privileged Password Management
          • Authentik
          • Beyond Trust
          • Cyberark
        • Network Tools
          • Palo Alto
          • Sonicwall
          • ZScaler
          • Firewalls
  • Windows
    • Administration
      • Honeypot
      • Deployment
      • Rogue Devices on Network
    • Forensics
      • System Info
      • Memory
        • Pagefile.sys
        • PowerShell Dump
        • Memory Forensics
      • Network Logs
        • UAL
        • Page 1
      • File System
        • Mounting File Systems
        • Log2Timeline
        • Volume Shadow Copies
        • $I30
        • UsnJournal/$LogFile
        • MFT
        • NTFS
        • Shellbags
        • Recycle Bin
      • Registry
        • Logged in Accounts
        • TypedPaths
        • WordWheelQuery
        • Page 5
      • Network Share
      • Exfiltration
        • RDP Clipboard
        • Exfil Exercise
        • DNS Over HTTPS
      • Evidence of Execution
        • Sum UAL
        • Office Apps Forensics
          • LastVisitedPidlMRU
          • File MRU
          • Trusted Documents
        • Run MRU
        • RecentDocs
        • FeatureUsage
        • BAM
          • DAM
        • Prefetch
        • Shimcache
        • RecentApps
        • AmCache
        • PCA
        • MUICache
        • UserAssist
        • SRUM
        • LNK Files
        • JumpLists
      • Hacktool Artifacts
        • DCSync
        • Impackets
          • GetUserSPN.py/Kerberoasting
          • Page
        • Psexec
        • Web Shells
        • BloodHound
      • Event Logs
        • Event Log IDs
          • SMB
            • 30803 Failed to Establish a Network Connection
            • 31010 SMB Client Failed to Connect
            • 551 SMB Auth Failed
            • SMB Forensics
          • 4740 Account Lockout
          • 4642 Logon
          • 5156 Show App IP Connections
        • Windows Defender
        • LOLBins
          • WebDav
          • Crashes (WER)
          • PowerShell
          • Scheduled Tasks
          • Services
          • WinRS
          • WinRM
          • RDP
            • 1024 RDP ClientActiveX is trying to connect
          • WMI
        • DNS Logs
        • Application NTDS.dit
        • Kerberos
        • Exchange
        • GPOs and OUs
        • Anti Forensics
      • 3rd Party Apps
        • IIS
        • Kubernetes
        • GitHub
        • Jenkins
        • Snowflake
        • Misc
          • Veeam
          • MongoDB
        • "TA Tools"
          • Ngrok
          • 7-Zip
          • PDQ Deploy
          • TotalCMD
          • WinSCP
        • Identity Apps
          • Okta
        • Microsoft
          • Microsoft Teams
          • VS Code
          • Excel
          • Notepad
        • SysInternals
          • PsExec.exe
        • RMM
          • ScreenConnect Forensics
          • AnyDesk
        • Zoom
        • Browser Forensics
          • Recovering Deleted History
          • Browser Artifacts
      • Example Page
    • Cheat Sheet
      • Red Team:
      • Windows Event Logs
      • Quick Wins
      • Docker
      • Admin
      • Zimmerman
    • Investigation
      • Malware Analysis
        • Macros Analysis
        • Packers
      • Persistence
        • Host Based Persistence Cheatsheet
        • M365 Persistence Cheatsheet
      • DFIR Tools
        • Volatility
        • Velociraptor
        • KAPE
        • Logman
      • Insider Threats
      • Scattered Identity
    • Internals
      • Structure
        • SMB
          • Admin
          • Attacks
        • Alternate Data Streams
        • Protocols
          • Wdigest
          • DPAPI
          • Kerberos
          • NetLogon
        • WinAPI
        • COM Objects
        • Files Types
        • DLLs
          • Attacks
            • Reflective DLL Injection
            • DLL Hijacking
        • Folders of Interest
      • Privileges
        • UAC
      • Applications
        • Werfault
        • Process Creation
        • Pipes
        • AMSI
        • LOLBins
          • xCyclopedia Index (EXEs)
          • WMI
          • Certutil.exe
          • Rundll32.exe
          • Schtasks.exe
          • Svchost.exe
          • DLLHOST.exe
          • MSIExec.exe
        • PowerShell
          • VBS
          • Forensics
          • Classes
          • Logging
          • PowerShell Modules
        • LSASS
          • Lsass Forensics
    • Active Directory
      • Internals
        • Sysvol
        • Attributes
      • Secure AD
        • Logs
        • Credentials
          • Restricted Admin Mode
          • LAPS
      • Attacks
        • Vulnerabilities
          • ViewState
          • ProxyShell
          • OWASSRF
        • Credential Theft
          • DCSync
        • ADCS
      • MSSQL
        • Admin
        • Attacks
    • MISC
      • Offensive Tool Analysis
      • Investigating Specific Activity
        • User Account Deleted
      • Dumping Domain Hashes with IFM Images
      • Lateral Movement
      • Advanced Obfuscation
      • SCCM
      • Malware Traffic
  • Linux
    • Forensics
      • Cron Jobs
      • File System Types and Timestamps
      • LD_PRELOAD
      • Linux Auditing Logs
      • example page
      • Process Accounting (pacct)
      • mlocate.db
    • SSH
    • Linux WebShells
    • Directories of Interest
    • Internals
      • Logs
      • File Descriptors
      • GTFOBins
  • Enterprise Architecture
    • CI/CD Pipline
      • Jenkins
    • Citrix
      • XenApp
      • Pentesting Guide
      • Forensics
    • Web Applications
      • JWT: JSON Web Tokens
      • Apache
        • CGI-Bins
      • ColdFusion
        • Attacking ColdFusion
    • The Cloud
      • AWS
        • Cases
        • Misconfigurations
        • Attacking AWS
          • SES
          • Privilege Escalation
        • Fundementals
          • Hierarchy
          • Roles
          • Security Services
          • IAM
            • Keys
          • CloudTrail
          • Services
            • S3
            • SES
      • Azure
        • Hunting
        • Admin
        • Securing Azure
          • CA Policies
        • CheatSheet
        • Detections
        • Forensics
        • Attacking Azure
          • Persistence
            • Cloud VMs
            • Applications
            • SSPR/MFA
          • Credential Theft
            • Golden SAML Theft
            • Attacking key vaults
            • Skeleton Keys (PTA Abuse)
            • Family of Client IDs
            • Token Theft
          • Initial Access
            • Subdomain Takeover
            • Authenticated Recon
            • Unauthenticated Recon
            • Password Spraying M365
            • Password Spraying OWA
            • OAuth 2.0 Abuse
            • Device code authentication abuse
            • M365 Business Email Compromise
          • Page 6
          • Test Page
        • Fundementals
          • Security/Service Principals
          • Tokens
          • Hierarchy
          • Roles
          • Architecture
          • Conditional Access
        • Logging
          • Audit Logs
      • M365
        • Forensics
          • Tokens
        • Business Email Compromise
        • Hardening
      • Cloud Labs
    • vSphere
      • Forensics
      • Hardening
      • Admin
    • Containers
      • Troubleshooting
      • Linxserver.io
      • Container Forensics
        • Docker Logs
      • Kubernetes
    • Troubleshooting
      • Cheatsheet
  • Mac
    • Forensics
      • Page 3
  • Attacker Information
    • Adversary Operations
      • c99 Webshell
      • Page 2
    • Actor Playbooks
      • TA Infrastructure
    • Abused Domains
  • IR Playbook
    • Activity from Unmanaged Host
    • Recommendations
  • Reverse Engineering
    • Python - Pyinstaller
Powered by GitBook
On this page
  • Attack
  • Detect
  • Regular Client Installation
  • Install Access
  • Uninstall Access
  • Commands Run
  • Run Tool
  • ScreenConnect Audit Logs
  • Mitigate
  • Change Cloud Admin Password
  • Revoke Sessions
  • ScreenConnect Exploit:
  • Analysis
  • Mitigations
  1. Windows
  2. Forensics
  3. 3rd Party Apps
  4. RMM

ScreenConnect Forensics

PreviousRMMNextAnyDesk

Last updated 1 year ago

Attack

Get a user to download an agent and enter the code to join session.

Or download the agent yourself and execute it on the victim workstation if you have access.

Once the executable is ran, you can join the session as the host from the web console.

ScreenConnect relay.

Once the session is established, we can execute all sorts of commands

  • Run executables

  • Transfer files

  • Run commands

  • Install Permenant Access (Most important for persistence).

We can see that the ScreenConnect instance is being run by the highly privileged

NT AUTHORITY\SYSTEM user.

If we run the command install access, this will permanently install the client on the victim machine and allow us access to it without them having to rejoin or enter any codes. This is ideal to stay persistent on a victim machine and also stay in an elevate privilege state.

Client session is now listed in access area of console.

Run commands in web portal terminal.

Detect

Once you're connected, the Applications logs will show what account has connected to this device. This will not show the source IP of the TA connection as the connection is brokered by ScreenConnects relay servers.

  • Application logs

  • Source: ScreenConnect

ScreenConnect relay.

User disconnected.

Regular Client Installation

Regular client installation, not permanent. Event ID 7045 will appear for base ScreenConnect installations, a good indicator of when it was executed.

Time: 11/29/2023 11:02:05 PM
Event ID: 7045
Message: A service was installed in the system.

Service Name:  ScreenConnect Client (99087e24-f8c7-47eb-8855-4d63ac3c55e2)
Service File Name:  "C:\Users\Administrator\AppData\Local\Apps\2.0\3XED1J4P.ZWE\NHXKMX9B.6B0\scre..tion_25b0fbb6ef7eb094_0017.0008_c2f57e8a00a9f92d\ScreenConnect.ClientService.exe" "?e=Support&y=Guest&h=instance-j24yfa-relay.screenconnect.com&p=443&s=99087e24-f8c7-47eb-8855-4d63ac3c55e2&k=BgIAAACkAABSU0ExAAgAAAEAAQB5YtrCzQNpuIufSOv1Ok14VGIGcn%2fI2D9MpSVoJkcw75oQm%2fD0U918EOAefys5dC%2b0c4EO7rDs%2bf8rFBH%2fIfm5OeNm5pzCrAs5EUhM1W%2fW19n1KEchs6fr1TX518EBE6wm1Fs3ZaIh%2f3TsZue2LRyAboOanpH3bQqe7qCVKmTAYSsxWPjG2ONbk%2bc5q%2fnGndEgA6GB84spU%2fMJN4%2feA6utzQ9T7KiwjdgkXoWsXqyLM6xOkCPPKwoDyBMMfQLZTAi5Yk6z4CwFoMc7FyD0EKBhkrR4PnChBHxAJci28WYJmXig8PTSoSaTRBV4xHmc%2fBUsmPUP4AIHqndI1M2%2f7pbV&r=&i=Untitled%20Session" "1"

Service Type:  user mode service
Service Start Type:  auto start
Service Account:  LocalSystem

Install Access

Permanent access installed. This will allow the TA persistent access to the host without the user having to enter any codes.

These executables can be built with the Build + button.

These will also make a service, creating another 7045 entry even if this is upgraded through a base install. Two 7045s will be present.

Time: 11/29/2023 11:13:12 PM
Event ID: 7045
Message: A service was installed in the system.

Service Name:  ScreenConnect Client (e6f5ce1d563c8e3f)
Service File Name:  "C:\Program Files (x86)\ScreenConnect Client (e6f5ce1d563c8e3f)\ScreenConnect.ClientService.exe" "?e=Access&y=Guest&h=instance-j24yfa-relay.screenconnect.com&p=443&s=2d33b2a8-44d2-4100-89ac-28d73a703389&k=BgIAAACkAABSU0ExAAgAAAEAAQB5YtrCzQNpuIufSOv1Ok14VGIGcn%2fI2D9MpSVoJkcw75oQm%2fD0U918EOAefys5dC%2b0c4EO7rDs%2bf8rFBH%2fIfm5OeNm5pzCrAs5EUhM1W%2fW19n1KEchs6fr1TX518EBE6wm1Fs3ZaIh%2f3TsZue2LRyAboOanpH3bQqe7qCVKmTAYSsxWPjG2ONbk%2bc5q%2fnGndEgA6GB84spU%2fMJN4%2feA6utzQ9T7KiwjdgkXoWsXqyLM6xOkCPPKwoDyBMMfQLZTAi5Yk6z4CwFoMc7FyD0EKBhkrR4PnChBHxAJci28WYJmXig8PTSoSaTRBV4xHmc%2fBUsmPUP4AIHqndI1M2%2f7pbV"

Service Type:  user mode service
Service Start Type:  auto start
Service Account:  LocalSystem

ScreenConnect.ClientSetup.exe can be used as evidence of ScreenConnect installing itself persistently.

Time: 11/29/2023 11:13:07 PM
Event ID: 201
Message: Transferred files with action 'RunSilentElevated':
ScreenConnect.ClientSetup.exe

Version: 23.8.5.8707
Executable Path: C:\Users\Administrator\AppData\Local\Apps\2.0\3XED1J4P.ZWE\NHXKMX9B.6B0\scre..tion_25b0fbb6ef7eb094_0017.0008_c2f57e8a00a9f92d\ScreenConnect.ClientService.exe

Uninstall Access

ScreenConnect.ClientUninstall.vbs can be used as evidence of an uninstallation.

Event ID 201
Message: Transferred files with action 'RunSilentElevated':
ScreenConnect.ClientUninstall.vbs

Version: 23.8.5.8707
Executable Path: C:\Program Files (x86)\ScreenConnect Client (e6f5ce1d563c8e3f)\ScreenConnect.ClientService.exe

Commands Run

This will allow shell access to the victim host and the ability to run commands remotely. The length of each command run from the ScreenConnect shell will be recorded in the application IDs. This can be used to correlate the length of command lines with the length of commands recorded in Application event logs.

Length of "Dir" command = 3

Run Tool

Using the run tool command will execute any file that has been uploaded to the host. In this case, a cute picture of a wide gator will be shown (or ransomware!).

The upload and execution of this file can be seen in the Application logs.

Event ID 201
Message: Transferred files with action 'RunElevated':
rrlpva9z6tz11.png

Version: 23.8.5.8707
Executable Path: C:\Program Files (x86)\ScreenConnect Client (e6f5ce1d563c8e3f)\ScreenConnect.ClientService.exe

ScreenConnect Audit Logs

Screen connect audit logs will record commands run and output of those commands, IPs and usernames of those logging into machines, and the user-agents of those connecting to sessions.

You can also generate reports based on types of logs you want to parse.

Mitigate

Change Cloud Admin Password

Go to Control Panel to reset the password of the Cloud Administrator Account.

Change password to prevent re-access of Cloud Administrator Account by the TA.

Revoke Sessions

Revoking authenticated sessions can be used to terminate all active authentication sessions in the web portal. If SAML or Active Directory login is setup, it's a good idea to rotate those credentials in the case of compromised credentials.

  • Reset compromised user creds.

  • Revoke ConnectWise portal sessions.

  • Revoke ScreenConnect host session connections.

Disconnecting users from host connections can also be done to ensure the TA doesn't still have access to victim machines even after the first two recommendations are completed.

ScreenConnect Exploit:

Users folder gets wiped and adds a new user for the TA to leverage.

  • C:\ScreenConnect/App_Data/User.xml

Analysis

Users folder gets wiped and adds a new user for the TA to leverage.

  • C:\ScreenConnect/App_Data/User.xml

  • Look at SQLite DB on the on-prem server to see logs of what actions TA took while leveraging ScreenConnect.

Mitigations

  • Rollback host to recover wiped accounts

  • Update to latest version

  • Kill all sessions and reset any compromised passwords

  • Check for any left over users

REvil: the usage of legitimate remote admin tooling
ScreenConnect – Digital ForensicsDigital Forensics
ConnectWise Control | Documentation
SSO SAML
Understanding the ConnectWise ScreenConnect CVE-2024-1709 & CVE-2024-1708 | Huntress Blog
Enumerations - ConnectWise
ConnectWise ScreenConnect 23.9.8 security fix
Logo
Logo
Logo
Logo
Logo
Logo