Techniques
Sample rules
Windows Remote Access Software Hunt
- source: splunk
- technicques:
- T1219
Description
The following analytic identifies the use of remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process execution logs. This detection is significant as unauthorized remote access tools can be used by adversaries to maintain persistent access to compromised systems. If confirmed malicious, this activity could allow attackers to remotely control systems, exfiltrate data, or further infiltrate the network. Review the identified software to ensure it is authorized and take action against any unauthorized utilities.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as process values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.user!=unknown by Processes.dest Processes.user Processes.process_name Processes.process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility
| search isutility = True
| `windows_remote_access_software_hunt_filter`