Sample rules
Detect Remote Access Software Usage URL
- source: splunk
- technicques:
- T1219
Description
The following analytic detects the execution of known remote access software within the environment. It leverages network logs mapped to the Web data model, identifying specific URLs and user agents associated with remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This activity is significant as adversaries often use these utilities to maintain unauthorized remote access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or further compromise the network, posing a severe security risk.
Detection logic
| tstats count min(_time) as firstTime
max(_time) as lastTime
latest(Web.http_method) as http_method
latest(Web.http_user_agent) as http_user_agent
latest(Web.url) as url
latest(Web.user) as user
latest(Web.dest) as dest
from datamodel=Web where
Web.url_domain=*
NOT Web.url_domain IN ("-", "unknown")
by Web.action Web.src Web.category Web.url_domain Web.url_length
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("Web")`
| lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference
as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_url_filter`
Detect Remote Access Software Usage DNS
- source: splunk
- technicques:
- T1219
Description
The following analytic detects DNS queries to domains associated with known remote access software such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. This detection is crucial as adversaries often use these tools to maintain access and control over compromised environments. Identifying such behavior is vital for a Security Operations Center (SOC) because unauthorized remote access can lead to data breaches, ransomware attacks, and other severe impacts if these threats are not mitigated promptly.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
from datamodel=Network_Resolution where
DNS.query=*
NOT DNS.query IN ("-", "unknown")
by DNS.answer DNS.answer_count DNS.query
DNS.query_count DNS.reply_code_id DNS.src
DNS.vendor_product
| `drop_dm_object_name("DNS")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature,
comment_reference as desc, category
| eval dest = query
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_dns_filter`
Detect Remote Access Software Usage Traffic
- source: splunk
- technicques:
- T1219
Description
The following analytic detects network traffic associated with known remote access software applications, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Palo Alto traffic logs mapped to the Network_Traffic data model in Splunk. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization’s security.
Detection logic
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(All_Traffic.dest_port) as dest_port
latest(All_Traffic.user) as user
from datamodel=Network_Traffic where
All_Traffic.app=*
NOT All_Traffic.app IN ("-", "unknown")
by All_Traffic.action All_Traffic.app All_Traffic.bytes All_Traffic.bytes_in
All_Traffic.bytes_out All_Traffic.dest All_Traffic.dest_ip
All_Traffic.dest_port All_Traffic.dvc All_Traffic.protocol
All_Traffic.protocol_version All_Traffic.src All_Traffic.src_ip
All_Traffic.src_port All_Traffic.transport All_Traffic.user
All_Traffic.vendor_product
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_traffic_filter`
Detect Remote Access Software Usage Process
- source: splunk
- technicques:
- T1219
Description
The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization’s security.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process
from datamodel=Endpoint.Processes
where
[
| inputlookup remote_access_software where isutility=TRUE
| rename remote_utility AS Processes.process_name
| fields Processes.process_name]
AND Processes.dest!="unknown"
AND Processes.user!="unknown"
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category
| search isutility = TRUE
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_process_filter`
Cisco Secure Firewall - Remote Access Software Usage Traffic
- source: splunk
- technicques:
- T1219
Description
The following analytic detects network traffic associated with known remote access software applications that are covered by Cisco Secure Firewall Application Detectors, such as AnyDesk, GoToMyPC, LogMeIn, and TeamViewer. It leverages Cisco Secure Firewall Threat Defense Connection Event. This activity is significant because adversaries often use remote access tools to maintain unauthorized access to compromised environments. If confirmed malicious, this activity could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization’s security.
Detection logic
`cisco_secure_firewall` EventType=ConnectionEvent
| stats min(_time) as firstTime max(_time) as lastTime
values(dest_port) as dest_port
values(dest) as dest
values(transport) as transport
values(url) as url
values(rule) as rule
count by src ClientApplication action
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup cisco_secure_firewall_appid_remote_mgmt_and_desktop_tools appName AS ClientApplication OUTPUT category, appDescription as Description
| search category IN ("remote administration", "remote desktop control")
| `remote_access_software_usage_exceptions`
| `cisco_secure_firewall___remote_access_software_usage_traffic_filter`