Elastic Security Detection Rules

Newly Observed ScreenConnect Host Server

Last updated 6 days ago on 2026-03-09
Created 6 days ago on 2026-03-09

About

Detects when the ScreenConnect client (ConnectWise Control) connects to a newly observed host server that is not the official ScreenConnect cloud. ScreenConnect is a common RMM/remote access tool abused for C2 and persistence. Self-hosted or non-standard relay servers may indicate abuse or compromise. The rule aggregates by server host (parsed from the client command line), requires first-time observation within the rule window, and limits to a single host to reduce noise.
Tags
Domain: EndpointOS: WindowsUse Case: Threat DetectionTactic: Command and ControlData Source: Elastic DefendLanguage: esql
Severity
high
Risk Score
73
MITRE ATT&CK™

Command and Control (TA0011)(external, opens in a new tab or window)

Remote Access Tools (T1219)(external, opens in a new tab or window)

License
Elastic License v2(external, opens in a new tab or window)

Definition

Integration Pack
Prebuilt Security Detection Rules
Related Integrations

endpoint(external, opens in a new tab or window)

Query
text code block:
from logs-endpoint.events.process-* metadata _id, _version, _index
| where event.category == "process" and event.type == "start" and (process.name == "ScreenConnect.ClientService.exe" or process.code_signature.subject_name == "ConnectWise, LLC")
| grok process.command_line """e=Access&y=Guest&h=(?<Esql.screenconnect_server>[^&]+)&p"""
| where Esql.screenconnect_server is not null and not Esql.screenconnect_server like "*.screenconnect.com"
| stats Esql.count_distinct_host_id = count_distinct(host.id),
        Esql.first_time_seen = min(@timestamp),
        Esql.user_name_values = values(user.name),
        Esql.command_line_values = values(process.command_line),
        Esql.host_id_values = values(host.id),
        Esql.host_name_values = values(host.name) by Esql.screenconnect_server
| eval Esql.recent = date_diff("minute", Esql.first_time_seen, now())
| where Esql.recent <= 6 and Esql.count_distinct_host_id == 1
| eval host.id = mv_first(Esql.host_id_values),
       host.name = mv_first(Esql.host_name_values),
       process.command_line = mv_first(Esql.command_line_values)
| keep host.id, host.name, process.command_line, Esql.screenconnect_server

Install detection rules in Elastic Security

Detect Newly Observed ScreenConnect Host Server in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(external, opens in a new tab or window).