1. Home
  2. Software
  3. ConnectWise

ConnectWise

ConnectWise is a legitimate remote administration tool that has been used since at least 2016 by threat actors including MuddyWater and GOLD SOUTHFIELD to connect to and conduct lateral movement in target environments.[1][2]

ID: S0591
Associated Software: ScreenConnect
Type: TOOL
Platforms: Windows
Version: 1.0
Created: 18 March 2021
Last Modified: 18 March 2021

Associated Software Descriptions

Name Description
ScreenConnect

[1]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

ConnectWise can be used to execute PowerShell commands on target machines.[1]
Enterprise T1113 Screen Capture

ConnectWise can take screenshots on remote hosts.[1]
Enterprise T1125 Video Capture

ConnectWise can record video on remote hosts.[1]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[1][2]
G0115 GOLD SOUTHFIELD

[1][3]

References

  1. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  2. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  1. Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.