Skip to content

Hide Navigation Hide TOC

Remote Access Tool - ScreenConnect Temporary File (0afecb6e-6223-4a82-99fb-bf5b981e92a5)

Detects the creation of files in a specific location by ScreenConnect RMM. ScreenConnect has feature to remotely execute binaries on a target machine. These binaries will be dropped to ":\Users\\Documents\ConnectWiseControl\Temp\" before execution.

Cluster A Galaxy A Cluster B Galaxy B Level
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Remote Access Tool - ScreenConnect Temporary File (0afecb6e-6223-4a82-99fb-bf5b981e92a5) Sigma-Rules 1
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2