Detection: Windows Remote Access Software Usage Process
Description
The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.
Annotations
No annotations available.
Implementation
The detection is based on data that originates from Windows Event Log Security. To implement this search, you must ingest Windows Event Log Security 4688 and enable command-line logging.
Known False Positives
It is possible that legitimate remote access software is used within the environment.
Associated Analytic Story
Risk Based Analytics (RBA)
| Risk Message | Risk Score | Impact | Confidence |
|---|---|---|---|
| A process for a known remote access software $process_name$ was identified on $dest_device_id$. | 25 | 50 | 50 |
References
-
https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/
-
https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/
Version: 1