Detect Remote Access Software Usage File

The following analytic detects the writing of files from known remote access software to disk within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on file path, file name, and user information. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to persist in the environment, potentially leading to data exfiltration, further compromise, or complete control over affected systems. It is best to update both the remote_access_software_usage_exception.csv lookup and the remote_access_software lookup with any known or approved remote access software to reduce false positives and increase coverage. In order to enhance performance, the detection filters for specific file names extensions / names that are used in the remote_access_software lookup. If add additional entries, consider updating the search filters to include those file names / extensions as well, if not alread covered.