LoFP / it is possible that legitimate remote access software is used within the environment. ensure that the lookup is reviewed and updated with any additional remote access software that is used within the environment. known false positives can be added to the remote_access_software_usage_exception.csv lookup to globally suppress these situations across all remote access content

Techniques

• T1219

Sample rules

Detect Remote Access Software Usage URL

• source: splunk
• technicques:
  • T1219

Description

The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.

Detection logic

| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name("Web")` 
| lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category 
| search isutility = True 
| `remote_access_software_usage_exceptions` 
| `detect_remote_access_software_usage_url_filter`

Detect Remote Access Software Usage DNS

• source: splunk
• technicques:
  • T1219

Description

The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query 
| `drop_dm_object_name("DNS")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category 
| eval dest = query 
| search isutility = True 
| `remote_access_software_usage_exceptions` 
| `detect_remote_access_software_usage_dns_filter`

Detect Remote Access Software Usage Traffic

• source: splunk
• technicques:
  • T1219

Description

The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization’s security.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app 
| `drop_dm_object_name("All_Traffic")` 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category 
| search isutility = True 
| `remote_access_software_usage_exceptions` 
| `detect_remote_access_software_usage_traffic_filter`

Detect Remote Access Software Usage Process

• source: splunk
• technicques:
  • T1219

Description

The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization’s security.

Detection logic

| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `drop_dm_object_name(Processes)` 
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category 
| search isutility = True 
| `remote_access_software_usage_exceptions` 
| `detect_remote_access_software_usage_process_filter`