Remote Access Tool - Simple Help Execution

 1title: Remote Access Tool - Simple Help Execution
 2id: 95e60a2b-4705-444b-b7da-ba0ea81a3ee2
 3status: experimental
 4description: |
 5    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 6    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 7    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 8references:
 9    - https://www.huntress.com/blog/slashandgrab-screen-connect-post-exploitation-in-the-wild-cve-2024-1709-cve-2024-1708
10author: Nasreddine Bencherchali (Nextron Systems)
11date: 2024/02/23
12tags:
13    - attack.command_and_control
14    - attack.t1219
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection:
20        Image|contains:
21            - '\JWrapper-Remote Access\'
22            - '\JWrapper-Remote Support\'
23        Image|endswith: '\SimpleService.exe'
24    condition: selection
25falsepositives:
26    - Legitimate usage of the tool
27level: medium