Techniques
Sample rules
Detect Remote Access Software Usage DNS
- source: splunk
- technicques:
- T1219
Description
The following analytic detects when a known remote access software domains are contacted from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(DNS.answer) as answer from datamodel=Network_Resolution by DNS.src DNS.query
| `drop_dm_object_name("DNS")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_domain AS query OUTPUT isutility, description as signature, comment_reference as desc, category
| eval dest = query
| search isutility = True
| `detect_remote_access_software_usage_dns_filter`
Detect Remote Access Software Usage Traffic
- source: splunk
- technicques:
- T1219
Description
The following analytic detects when a known remote access software application traffic is detected from within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(All_Traffic.dest_port) as dest_port latest(user) as user from datamodel=Network_Traffic by All_Traffic.src All_Traffic.dest, All_Traffic.app
| `drop_dm_object_name("All_Traffic")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| lookup remote_access_software remote_appid AS app OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `detect_remote_access_software_usage_traffic_filter`
Detect Remote Access Software Usage Process
- source: splunk
- technicques:
- T1219
Description
The following analytic detects when a known remote access software is executed within the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
Detection logic
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process from datamodel=Endpoint.Processes where Processes.dest!=unknown Processes.process!=unknown by Processes.dest Processes.user Processes.process_name Processes.process
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `detect_remote_access_software_usage_process_filter`
Detect Remote Access Software Usage URL
- source: splunk
- technicques:
- T1219
Description
The following analytic detects when a known remote access software is executed with the environment. Adversaries use these utilities to retain remote access capabilities to the environment. Utilities in the lookup include AnyDesk, GoToMyPC, LogMeIn, TeamViewer and much more. Review the lookup for the entire list and add any others.
Detection logic
| tstats count min(_time) as firstTime max(_time) as lastTime latest(Web.http_method) as http_method latest(Web.http_user_agent) as http_user_agent latest(Web.url) as url latest(Web.user) as user latest(Web.dest) as dest from datamodel=Web by Web.action Web.src Web.category Web.url_domain
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name("Web")`
| lookup remote_access_software remote_domain AS url_domain OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = True
| `detect_remote_access_software_usage_url_filter`