← Library
splApache-2.0from splunk/security_content

Detect Remote Access Software Usage Process

The following analytic detects the execution of known remote access software within the environment. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on process names and parent processes mapped to the Endpoint data model. We then compare with with a list of known remote access software shipped as a lookup file - remote_access_software. This activity is significant as adversaries often use remote access tools like AnyDesk, GoToMyPC, LogMeIn, and TeamViewer to maintain unauthorized access. If confirmed malicious, this could allow attackers to control systems remotely, exfiltrate data, or deploy additional malware, posing a severe threat to the organization's security.

Quality
67
FP risk
Forks
0
Views
0
Rule sourcedetections/endpoint/detect_remote_access_software_usage_process.yml
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.parent_process) as parent_process
  from datamodel=Endpoint.Processes
  where
  [| inputlookup remote_access_software where isutility=TRUE
  | rename remote_utility AS Processes.process_name
  | fields Processes.process_name]
  AND Processes.dest!="unknown"
  AND Processes.user!="unknown"
  by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup remote_access_software remote_utility AS process_name OUTPUT isutility description AS signature comment_reference AS desc category
| search isutility = TRUE
| `remote_access_software_usage_exceptions`
| `detect_remote_access_software_usage_process_filter`