detection.wiki

Detection rules › Splunk

Detect Remote Access Software Usage FileInfo

Author
Steven Dick
Source
upstream

The following analytic detects the execution of processes with file or code signing attributes from known remote access software within the environment. It leverages Sysmon EventCode 1 data and cross-references a lookup table of remote access utilities such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these tools to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration or further compromise of the network.

MITRE ATT&CK coverage

TacticTechniques
Command & ControlT1219 Remote Access Tools

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: search

search EventCode=1

Stage 2: stats

stats BY action, dest, original_file_name, parent_process, parent_process_exec, parent_process_guid, parent_process_id, parent_process_name, parent_process_path, process, process_exec, process_guid, process_hash, process_id, process_integrity_level, process_name, process_path, user, user_id, vendor_product

Stage 3: lookup

lookup <lookup> Product, category, comment_reference, desc, description, isutility, remote_utility_fileinfo, signature

Stage 4: search

search isutility=True

Stage 5: search

search `macro`

Stage 6: search

search `macro`

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
EventCodeeq
  • 1 corpus 3 (splunk 3)
isutilityeq
  • True corpus 2 (splunk 2)

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.