Detection: Windows Remote Access Software Usage Process

Description

The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.

Annotations

No annotations available.

Implementation

The detection is based on data that originates from Windows Event Log Security. To implement this search, you must ingest Windows Event Log Security 4688 and enable command-line logging.

Known False Positives

It is possible that legitimate remote access software is used within the environment.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message Risk Score Impact Confidence
A process for a known remote access software $process_name$ was identified on $dest_device_id$. 25 50 50
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

References


Version: 1