ScreenConnect
8 events across 1 channel
| Event ID | Title | Channel |
|---|---|---|
| 1 | Application | |
| 4 | Application | |
| 20 | Network connection to host created successfully. | Application |
| 30 | Application | |
| 100 | Cloud account administrator connected. | Application |
| 101 | Cloud account administrator disconnected. | Application |
| 200 | Executed command of length. | Application |
| 201 | Transferred files with action 'Transfer'. | Application |
Event ID 20 — Network connection to host created successfully.
#Description
Network connection to host created successfully.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Data | — |
Example Event #
{
"system": {
"provider": "ScreenConnect",
"guid": "",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-12T18:19:25.230348+00:00",
"event_record_id": 1467,
"correlation": {},
"execution": {
"process_id": 12712,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Network connection to host created successfully\r\n\r\nVersion: 24.2.10.8991\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (207d3896f8faaf5e)\\ScreenConnect.ClientService.exe\r\n",
"Binary": ""
},
"message": ""
}
References #
Event ID 100 — Cloud account administrator connected.
Event ID 101 — Cloud account administrator disconnected.
Event ID 200 — Executed command of length.
#Description
Executed command of length.
Message #
Fields #
| Name | Description |
|---|---|
Data UnicodeString | — |
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Remote Access Tool - ScreenConnect Command Execution source low: Detects command execution via ScreenConnect RMM
References #
Event ID 201 — Transferred files with action 'Transfer'.
#Description
Transferred files with action 'Transfer'.
Message #
Fields #
| Name | Description |
|---|---|
Data_0 | — |
Binary | — |
Data | — |
Example Event #
{
"system": {
"provider": "ScreenConnect",
"guid": "",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-02-12T18:19:32.932554+00:00",
"event_record_id": 1468,
"correlation": {},
"execution": {
"process_id": 12712,
"thread_id": 0
},
"channel": "Application",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "Transferred files with action 'RunSilentElevated':\r\nScreenConnect.ClientSetup.exe\r\n\r\nVersion: 24.2.10.8991\r\nExecutable Path: C:\\Program Files (x86)\\ScreenConnect Client (207d3896f8faaf5e)\\ScreenConnect.ClientService.exe\r\n",
"Binary": ""
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Sigma # view in reference
- Remote Access Tool - ScreenConnect File Transfer source low: Detects file being transferred via ScreenConnect RMM