← Library
splApache-2.0from splunk/security_content

Detect Remote Access Software Usage File

The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems. It is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage. In order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup. If add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_remote_access_software_usage_file.yml
| tstats `security_content_summariesonly`
  count min(_time) as firstTime,
        max(_time) as lastTime
        values(Filesystem.file_path) as file_path
from datamodel=Endpoint.Filesystem
where Filesystem.file_name IN (
  "*.app",
  "*.exe",
  "*.msi",
  "*.pkg",
  "*echoware.dll",
  "*Idrive.*",
  "*rdp2tcp.py"
)
by Filesystem.action Filesystem.dest Filesystem.file_access_time
   Filesystem.file_create_time Filesystem.file_hash
   Filesystem.file_modify_time Filesystem.file_name
   Filesystem.file_path Filesystem.file_acl Filesystem.file_size
   Filesystem.process_guid Filesystem.process_id
   Filesystem.user Filesystem.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Filesystem)`
| lookup remote_access_software remote_utility AS file_name OUTPUT isutility, description as signature, comment_reference as desc, category
| search isutility = TRUE
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_file_filter`