Rogue ScreenConnect: Common Social Engineering Tactics We Saw in 2025
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are delivering malicious ScreenConnect (remote monitoring and management) clients through social‑engineering lures such as fake Social Security statements, invitation letters and invoice documents. The lures are distributed via phishing emails and malicious web pages, leading victims to download renamed ScreenConnect executables. Once installed, the rogue RMM provides the attacker with persistent remote access to the compromised host.
Investigation
Huntress observed dozens of incidents between January and September 2025 where renamed ScreenConnect binaries were executed on endpoints in multiple industries. The SOC collected associated domain names, IP addresses and file hashes, noting repeated use of dynamic DNS services and specific lure naming patterns. Detailed log analysis showed the malicious client contacting attacker‑controlled domains for command‑and‑control.
Mitigation
Organizations should strengthen security awareness training to spot fake statements, invoices and invitation files. Continuous monitoring of remote access tools, restricting execution of unsigned RMM binaries and auditing network connections to known malicious domains are recommended. Keep RMM software patched and whitelist only authorized instances.
Response
Upon detection of a renamed ScreenConnect executable, isolate the endpoint, collect the binary and associated network traffic, and block the C2 domain at the firewall. Perform a forensic analysis to identify persistence mechanisms and lateral movement, then remediate compromised accounts and reset credentials.
Attack Flow
Detections
Alternative Remote Access / Management Software (via system)
View
Alternative Remote Access / Management Software (via audit)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Alternative Remote Access / Management Software (via process_creation)
View
IOCs (HashSha256) to detect: Rogue ScreenConnect: Common Social Engineering Tactics We Saw in 2025
View
Rogue ScreenConnect Installation via Social Engineering Lures [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker crafts a phishing email with an attachment named Social_Security_Statement_redacted.exe that actually contains a legitimate ScreenConnect installer (or any payload). The victim, believing it to be a personal finance document, double‑clicks the file. The OS launches the executable, producing a process‑creation event where theImagefield ends with the malicious filename. This exact pattern matches the Sigma rule and should raise an alert. -
Regression Test Script:
# -------------------------------------------------------------- # Simulation script – triggers the "Rogue ScreenConnect" rule # -------------------------------------------------------------- # 1. Prepare a benign payload (e.g., calc.exe) and rename it $src = "$env:SystemRootSystem32calc.exe" $dst = "$env:TempSocial_Security_Statement_redacted.exe" Copy-Item -Path $src -Destination $dst -Force # 2. Optionally set hidden attribute to mimic evasion (T1564.004) attrib +h $dst # 3. Execute the renamed payload (simulating user click) Start-Process -FilePath $dst # 4. Wait briefly to ensure logging Start-Sleep -Seconds 5 # 5. Output confirmation Write-Host "Executed $dst – should generate detection telemetry." -
Cleanup Commands:
# Remove the malicious‑looking executable and clear attribute $file = "$env:TempSocial_Security_Statement_redacted.exe" if (Test-Path $file) { attrib -h $file Remove-Item -Path $file -Force Write-Host "Cleanup complete: $file removed." } else { Write-Host "File not found; nothing to clean." }
End of Report