{ "id": "990105da-d1c2-4882-be19-c2e653ae88d7", "created_at": "2026-04-06T00:17:59.934879Z", "updated_at": "2026-04-10T13:12:30.592983Z", "deleted_at": null, "sha1_hash": "ca6bee76b429fea05b3914ad55d89873480172c7", "title": "REvil: the usage of legitimate remote admin tooling", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 479717, "plain_text": "REvil: the usage of legitimate remote admin tooling\r\nBy Krijn de Mik\r\nPublished: 2021-06-10 · Archived: 2026-04-05 21:51:59 UTC\r\n1. Introduction\r\nRecently, Hunt \u0026 Hackett did an incident response engagement involving Sodinokibi (also known as REvil)\r\nransomware. During the incident, the adversary installed a ScreenConnect service on several systems, functioning\r\nas a backdoor. This gave the adversary the possibility to connect directly to those systems, without the need of\r\nusing the Remote Desktop Protocol (RDP), or the need to authenticate (this is required of course for installation of\r\nScreenConnect). This is a rather efficient and effective technique used by more threat actors, next to other types of\r\nlegitimate Remote Administration Tools like TeamViewer and AnyDesk. Other examples of threat actors that have\r\nbeen using ScreenConnect in the past are the Iranian actor named Static Kitten [1] and another targeted\r\nransomware group called Zeppelin [2].\r\nIn this blog post, we will look into the traces left behind by the usage of ScreenConnect remote administration\r\nsoftware and how these traces can help defenders with building custom detection.\r\n2. ScreenConnect traces and detection\r\nThis chapter describes the different traces left by ScreenConnect when it is actively used. Furthermore, some rules\r\nare provided in order to detect the usage of ScreenConnect on a system, or in an infrastructure. \r\n2.1 ScreenConnect funtionality\r\nConnectWise Control [3] (formerly known as ScreenConnect) is advertised as a solution that \"gives your techs full\r\nremote access to remotely control, troubleshoot, and update client devices\". It should not come as a surprise that\r\nScreenConnect can thus also be used for malicious purposes.\r\nVia the web interface, ConnectWise Control (among others) offers functionality to remotely:\r\nExecute arbitrary commands;\r\nTerminate processes;\r\nUninstall software;\r\nView event logs;\r\nStart / Stop services;\r\nInstall Windows updates.\r\nAdditionally, ConnectWise Control allows an operator to take control of a machine's desktop session. During a\r\nrecent incident response case, the File Transfer functionality was among others used to upload MimiKatz [4] to a\r\ncompromised system, as well as to upload other tools like Advanced IP Scanner and the actual ransomware.\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 1 of 11\n\nFigure 1- Machine with status connected in ConnectWise Control.\r\nAll events related to ScreenConnect can be found in the Windows event logs and are logged with the provider\r\nname 'ScreenConnect Client (\u003chex string\u003e)'. More specifically in the Application.evtx and System.evtx log files,\r\nwhich can generally be found at the following location:\r\nC:\\Windows\\System32\\winevt\\logs\\\u003cevent log file\u003e.evtx\r\nIn Table 2 an overview is given of the different events that are being logged in the Windows event logs, what is\r\nbeing logged, in which log file the event can be found and what the corresponding EventID Is.\r\nEvent Value Log EventID\r\nService being installed A service was installed in the system System 7045\r\nStart of remote session Cloud Account Administrator Connected Application 0\r\nClosing of remote\r\nsession\r\nCloud Account Administrator Disconnected Application 0\r\nFile upload/ transfer\r\nTransferred files with action 'Transfer': \u003clist of file\r\nnames\u003e\r\nApplication 0\r\nCommand execution Executed command of length: \u003csize\u003e Application 0\r\nTable 2- Windows Event log event information and variables.\r\n2.2 ScreenConnect installation of service\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 2 of 11\n\nWhen ScreenConnect is being installed, it installs itself as a service. Services that are being installed show up in\r\nthe Windows event logs and can therefore be detected. More specifically, these events can be found in the 'System'\r\nevent log and get the Event ID 7045. An example of such an event is shown in Figure 2.\r\nFigure 2 - ScreenConnect being installed as a service Windows event.\r\n2.3 ScreenConnect start and ending of a session\r\nOnce a user decides to 'Join' an endpoint (as shown in Figure 1) and to interact with it, a new event is being\r\nlogged in the Windows Application event log. An example of such a recorded event is shown in Figure 3. A\r\nsession disconnect is recorded as well and an example is shown in Figure 4.\r\nFigure 3 - Cloud Account Administrator Connected event.\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 3 of 11\n\nFigure 4 - Cloud Account Administrator Disconnected event.\r\n2.4 ScreenConnect file transfers\r\nScreenConnect offers different ways of interacting with the endpoint on which the ScreenConnect agent is\r\ninstalled. File Transferring is one of them. Files can be both send as well as being retrieved from an endpoint as\r\nshown in Figure 5.\r\nFigure 5 - ConnectWise Control file transfer functionality.\r\nWhen files are transferred, the Windows Application event log not only records this as an event, but also registers\r\nthe file that is being exchanged. In Figure 6 the file payload.exe is transferred to the endpoint. Do note that the\r\nretrieval of files is not logged in the Windows Application event log.\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 4 of 11\n\nFigure 6 - Windows event log event indicating a file has been transferred.\r\n2.5 ScreenConnect command execution\r\nAnother form of interaction with an endpoint is command execution. Via the ConnectWise Control center it's\r\npossible to type a command, hit the 'Run Command' button, after which the command Is executed. The commands\r\nthat are allowed to be used are the commands that are generally supported by the Windows Command Prompt. An\r\nexample of the interface in ConnectWise Control is shown in Figure 7.\r\nFigure 7 - ConnectWise Control command execution functionality.\r\nUpon execution of an operator invoked task, a Windows Event is generated that indicates a command of a certain\r\nlength has been executed, as shown in Figure 8. The type of executed task cannot be derived from the Windows\r\nEvent Logs. However, manually-executed shell commands are launched from ScreenConnect.ClientService.exe as\r\ncommand (.cmd) scripts, whereas tasks like process listing and termination are executed via Powershell (.ps1)\r\nscripts.\r\nFigure 8 - Windows Eventlog event indicating an executed command.\r\nThe process of a command task being launched by ScreenConnect.ClientService.exe, the actual execution of the\r\ncommand and the result are outlined in a bit more detail as shown in Table 3.\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 5 of 11\n\nC:\\Program Files (x86)\\ScreenConnect Client (\u003chex string\u003e)\\ScreenConnect.ClientService.exe\r\n--\u003e \"cmd.exe\" /c \"C:\\Windows\\TEMP\\ScreenConnect\\\u003cversion\u003e\\\u003cuuid\u003erun.cmd\"\r\n--\u003e \u003cexecuted shell command\u003e\r\nTable 3 - Execution chain of command via the ConnectWise Control interface.\r\n2.6 ScreenConnect detection and response\r\nInstallation of and interaction with ScreenConnect can be detected. We have developed Carbon Black and YARA-L rules to support detection efforts. These rules can be found in appendix 1, at the bottom of this page.\r\nFurthermore, from a forensics perspective, the fact that ScreenConnect.ClientService.exe writes either the\r\ncommand(s) to a .cmd, or a .ps1 file before executing the command, might make it possible (hasn't been tested yet\r\nby Hunt \u0026 Hackett) to carve for these files. This potentially shines a bit more light on the actual commands that\r\nhave been executed by the adversary.\r\n3. Anti-forensics and robust detection\r\nScreenConnect event logs can indicate that an operator has connected to a machine or performed certain actions\r\nlike executing commands or transferring files.\r\nAt first glance, it might appear that monitoring for ScreenConnect events might be enough to detect malicious\r\nusage of ScreenConnect. This is however not something we can always assume. For robust detection we cannot\r\ntake for granted that all information is always available.\r\nFor example, we cannot just rely on the Windows event logs. ScreenConnect events are generated by the\r\napplication itself, meaning that a determined attacker can prevent any logs from being created. The ScreenConnect\r\nclient uses the TryWriteInformationToEventLog() function to log certain events.\r\nFigure 9 - ScreenConnect event log operation.\r\nTryWriteInformationToEventLog() is implemented in the unsigned ScreenConnect.Core.dll module and, below the\r\nsurface, is merely a wrapper around EventLog.WriteEntry(). If we can modify the application in such a way that\r\nEventLog.WriteEntry() is no longer ever executed, we can prevent the generation of event logs.\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 6 of 11\n\nFigure 10 - ScreenConnect write to EventLog.WriteEntry.\r\nTo demonstrate that we can prevent ScreenConnect from logging events, we can patch the bytecode of\r\nScreenConnect.Core.dll, using a tool like dnSpy [5], and overwrite the call to EventLog.WriteEntry() in\r\nTryWriteInformationToEventLog(), as shown in Figure 11. This ensures that ScreenConnect can no longer\r\ngenerate any events and will create less evidence.\r\nFor this proof-of-concept, we manually patched out the call to EventLog.WriteEntry(). A determined attacker\r\ncould of course implement this anti-forensics technique in a different way.\r\nFigure 11 - Patching the write to event log functionality of ScreenConnect.\r\nIn case an attacker would use such a modified version of ScreenConnect, we cannot just rely on the Windows\r\nevent logs. Instead, detection should also focus on the execution of suspicious executables, whether it being\r\nScreenConnect being launched / installed by the attacker or executable files being started via the build-in Run\r\nCommand functionality. \r\nIn Appendix 1, we have included detection rules for Chronicle and Carbon Black that can detect the initialization\r\nof ScreenConnect and the execution of tasks via the control panel, so that you can use these in your SOC or MDR\r\nsetup. Additionally, a Sigma rule is publicly available that can detect the initialization of ScreenConnect [6].\r\nPost Incident, carving of .ps1, or .cmd files might the way to go, in case you would like to have an understanding\r\nof the command that might have been executed by the adversary.\r\n4. Sources\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 7 of 11\n\n[1] https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\n[2] https://blog.morphisec.com/connectwise-control-abused-again-to-deliver-zeppelin-ransomware\r\n[3] https://www.connectwise.com/platform/unified-management/control\r\n[4] https://github.com/gentilkiwi/mimikatz\r\n[5] https://github.com/dnSpy/dnSpy\r\n[6]\r\nhttps://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_screenconnect_access.yml\r\nAppendix 1 - Detection rules\r\nThis appendix contains an overview of different rules in both Carbon Black as well as Yara-L format. Additionally,\r\nyou can find an already existing Sigma rule in the Sigma rule repository \r\n'SigmaHQ/sigma/rules/windows/process_creation/win_susp_screenconnect_access.yml',  For completeness the\r\nSigma rules is listed in this appendix as well. \r\nSigma\r\nAction Sigma rule\r\nScreenConnect Remote\r\nAccess detection title: ScreenConnect Remote Access\r\nid: 75bfe6e6-cd8e-429e-91d3-03921e1d7962\r\nstatus: experimental\r\ndescription: Detects ScreenConnect program starts that establish a remote access\r\nto that system (not meeting, not remote support)\r\nreferences:\r\n   - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies\r\nauthor: Florian Roth\r\ndate: 2021/02/11\r\nlogsource:\r\n   category: process_creation\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 8 of 11\n\nproduct: windows\r\ndetection:\r\n   selection:\r\n       CommandLine|contains|all:\r\n           - 'e=Access\u0026'\r\n           - 'y=Guest\u0026'\r\n           - '\u0026p='\r\n           - '\u0026c='\r\n           - '\u0026k='\r\n   condition: selection\r\nfalsepositives:\r\n   - Legitimate use by administrative staff\r\nlevel: high\r\nCarbon Black\r\nAction Carbon Black query\r\nScreenConnect\r\ninitialisation\r\n(process_cmdline:\"y=\" OR process_cmdline:\"?y=\") AND (process_cmdline:\"h=\"\r\nOR process_cmdline:\"?h=\") AND (process_cmdline:\"p=\" OR process_cmdline:\"?\r\np=\") AND (process_cmdline:\"s=\" OR process_cmdline:\"?s=\") AND\r\n(process_cmdline:\"k=\" OR process_cmdline:\"?k=\")\r\nTask execution\r\nthrough\r\nScreenConnect\r\n(process_name:*screenconnect* OR process_publisher:*ConnectWise*) AND\r\nchildproc_cmdline:*run.ps1\r\nCmd command\r\nexecution through\r\nScreenConnect\r\n(process_name:*screenconnect* OR process_publisher:*ConnectWise*) AND\r\nchildproc_cmdline:*run.cmd\r\nYara-L \r\nAction Rule\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 9 of 11\n\nScreenConnect\r\ninitialisation\r\nrule screenconnect_initialisation {\r\n     meta:\r\n         author = \"Hunt \u0026 Hackett\"\r\n         description = \"Detects ScreenConnect initialisation\"\r\n     events:\r\n         $e.metadata.event_type = \"PROCESS_LAUNCH\"\r\n         $e.principal.process.command_line = /(\\?|\\\u0026|\\;)y=/ nocase\r\n         $e.principal.process.command_line = /(\\?|\\\u0026|\\;)h=/ nocase\r\n         $e.principal.process.command_line = /(\\?|\\\u0026|\\;)p=/ nocase\r\n         $e.principal.process.command_line = /(\\?|\\\u0026|\\;)s=/ nocase\r\n         $e.principal.process.command_line = /(\\?|\\\u0026|\\;)k=/ nocase\r\n     condition:\r\n         $e\r\n}\r\nScreenConnect task\r\nexecution rule screenconnect_task_execution {\r\n     meta:\r\n         author = \"Hunt \u0026 Hackett\"\r\n         description = \"Detects task execution through ScreenConnect\"\r\n     events:\r\n         $e.metadata.event_type = \"PROCESS_LAUNCH\"\r\n         (\r\n             $e.principal.process.file.full_path = /ScreenConnect/ nocase and\r\n             $e.target.process.file.full_path = /powershell.exe/ nocase\r\n         )\r\n         or\r\n         (\r\n             $e.principal.process.command_line = /(powershell\\.exe)(.*)([a-f0-9-]\r\n{36}run\\.ps1)/ nocase\r\n         )\r\n     condition:\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 10 of 11\n\n$e\r\n}\r\nScreenConnect command\r\nexecution\r\nrule screenconnect_cmd_command_execution {\r\n     meta:\r\n         author = \"Hunt \u0026 Hackett\"\r\n         description = \"Detects cmd command execution through\r\nScreenConnect\"\r\n     events:\r\n         $e.metadata.event_type = \"PROCESS_LAUNCH\"\r\n         (\r\n             $e.principal.process.file.full_path = /ScreenConnect/ nocase and\r\n             $e.target.process.file.full_path = /cmd.exe/ nocase\r\n         )\r\n         or\r\n         (\r\n             $e.principal.process.command_line = /(cmd\\.exe)(.*)(\\/c)(.*)([a-f0-\r\n9-]{36}run\\.cmd)/ nocase\r\n         )\r\n     condition:\r\n         $e\r\n}\r\nSource: https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nhttps://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling" ], "report_names": [ "revil-the-usage-of-legitimate-remote-admin-tooling" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434679, "ts_updated_at": 1775826750, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ca6bee76b429fea05b3914ad55d89873480172c7.pdf", "text": "https://archive.orkl.eu/ca6bee76b429fea05b3914ad55d89873480172c7.txt", "img": "https://archive.orkl.eu/ca6bee76b429fea05b3914ad55d89873480172c7.jpg" } }