Merge PR SigmaHQ#4743 from @nasbench - Increase Coverage For SC Relat…

…ed Rule

update: Remote Access Tool - ScreenConnect Potential Suspicious Remote Command Execution - Add more potential child process seen in the wild

rules/windows/process_creation/proc_creation_win_remote_access_tools_screenconnect_remote_execution_susp.yml

@@ -10,9 +10,10 @@ references:
     - https://www.mandiant.com/resources/telegram-malware-iranian-espionage
     - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode
     - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
+    - https://www.trendmicro.com/en_us/research/24/b/threat-actor-groups-including-black-basta-are-exploiting-recent-.html
 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems), @Kostastsale
 date: 2022/02/25
-modified: 2024/02/26
+modified: 2024/02/28
 tags:
     - attack.command_and_control
     - attack.t1219
@@ -25,10 +26,15 @@ detection:
             - ':\Windows\TEMP\ScreenConnect\'
             - 'run.cmd'
         Image|endswith:
+            - '\bitsadmin.exe'
             - '\cmd.exe'
             - '\curl.exe'
+            - '\dllhost.exe'
+            - '\net.exe'
+            - '\nltest.exe'
             - '\powershell.exe'
             - '\pwsh.exe'
+            - '\rundll32.exe'
             - '\wevtutil.exe'
     condition: selection
 falsepositives: