S0591 ConnectWise
ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.12
| Item | Value |
|---|---|
| ID | S0591 |
| Associated Names | ScreenConnect |
| Type | TOOL |
| Version | 1.0 |
| Created | 18 March 2021 |
| Last Modified | 13 April 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| ScreenConnect | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | ConnectWise can be used to execute PowerShell commands on target machines.1 |
| enterprise | T1113 | Screen Capture | ConnectWise can take screenshots on remote hosts.1 |
| enterprise | T1125 | Video Capture | ConnectWise can record video on remote hosts.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater | 12 |
| G0115 | GOLD SOUTHFIELD | 13 |
References
-
Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. ↩↩↩↩↩↩↩
-
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. ↩↩
-
Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. ↩