This detection rule is designed to identify the installation of ScreenConnect, a legitimate remote access tool, which could be exploited by adversaries for establishing command and control (C2) channels within target environments. The use of such software poses a risk, particularly as it may align with normal business operations, complicating detection efforts. The rule specifically looks for file events indicating the presence of the ScreenConnect executable within a designated directory, suggesting that the application has been utilized or installed. Since remote access tools are often utilized for legitimate purposes, this detection rule may yield false positives, thus requiring careful analysis by security professionals to ascertain the context of the detected events. The rule correlates with ATT&CK Technique T1219, which focuses on remote access tools used for unauthorized control over systems.