Skip to content

Connectwise/Screenconnect

Currently named Connectwise, but old Screenconnect name still persists

Event logs

Event Log Event ID Provider Message
Application.evtx 100 ScreenConnect Client (<random>)* or Screenconnect connected
Application.evtx 101 ScreenConnect Client (<random>)* or Screenconnect disconnected
Application.evtx 201 ScreenConnect Client (<random>)* or Screenconnect Transferred files with action ''
Application.evtx 200 ScreenConnect Client (<random>)* or Screenconnect "Executed command of length" (but no command is provided)
  • There is also a Service install (EID: 7045, System evtx) on screenconnect install.
  • No Evtxecmd map can cover older versions this due to engineering decisions. The result will be in the Payload column.
  • Later versions can be mapped, and the account ID will be in the payload (mapped to executable path).
  • Previous versions had all of the above events in EventID == 1. However, more recent testing showed 100, 101, and 201. The 4th row may still be Event ID == 1. Additional testing needed.

Application files

  • User config - C:\Windows\SysWOW64\config\systemprofile\AppData\Local\ScreenConnect Client (<random>)\user.config
  • %PROGRAMDATA%\ScreenConnect Client (<random>)\
  • %PROGRAMFILES(x86)%\ScreenConnect Client (<random>)\
  • %SYSTEMROOT%\temp\screenconnect\[version]\
  • %USERPROFILE%\Documents\ConnectWiseControl\captures\
  • File execution - %USERPROFILE%\Documents\ConnectWiseControl\Temp\malware.exe
  • File Transfers - %USERPROFILE%\Documents\ConnectWiseControl\Files\
  • Scripts - %SYSTEMROOT%\temp

Useful notes

If you see https://.screenconnect.com, this is the username of the account.[4] [5]

References

  1. Remote Access Software - Forensics 

  2. Establishing Connections: Illuminating Remote Access Artifacts in Windows 

  3. Analysis on legit tools abused in human operated ransomware 

  4. RMM – ScreenConnect: Client-Side Evidence 

  5. Configure ConnectWise Control for Single Sign-On