ScreenConnect (ConnectWise Control) Application Data

Overview

Evidence: ScreenConnect (ConnectWise Control) Application Data Description: Collect Various Types of ScreenConnect (ConnectWise Control) Application Data Category: Applications Platform: windows Short Name: scrncnppadt Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

ScreenConnect (now ConnectWise Control) is a remote support and access platform widely used by MSPs and IT departments. It stores configuration files, session databases, user data, and security settings. The software has been targeted by threat actors for initial access and persistence.

Data Collected

This collector gathers structured data about screenconnect (connectwise control) application data.

Collection Method

This collector gathers ScreenConnect configuration files, user XML files, session databases, security databases, extensions, and temporary data from multiple installation and data directories.

Forensic Value

ScreenConnect data is critical for investigating remote access incidents, as the platform is frequently exploited by ransomware groups and APTs. The data reveals remote sessions, user accounts, client connections, transferred files, and can identify unauthorized use of legitimate remote access tools for malicious purposes.