This detection rule targets the execution of the ScreenConnect remote access tool, which adversaries may exploit to establish command and control channels. ScreenConnect is a legitimate software often utilized by IT support for remote assistance, making its usage legitimate in many environments. However, attackers can use it to bypass security measures, particularly when application control allows its execution within a network. The rule identifies instances of ScreenConnect based on specific indicators such as service description, product name, and associated software company to monitor for potentially malicious remote access activity.