ConnectWise

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]

ID: S0591
Associated Software: ScreenConnect
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 18 March 2021
Last Modified: 18 March 2021

Associated Software Descriptions

Name Description
ScreenConnect

[1]

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ConnectWise can be used to execute PowerShell commands on target machines.[1]

Enterprise T1113 Screen Capture

ConnectWise can take screenshots on remote hosts.[1]

Enterprise T1125 Video Capture

ConnectWise can record video on remote hosts.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1][2]

G0115 GOLD SOUTHFIELD

[1][3]

References