Remote Access Tool - UltraViewer Execution

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Sigma rule (View on GitHub)

 1title: Remote Access Tool - UltraViewer Execution
 2id: 88656cec-6c3b-487c-82c0-f73ebb805503
 3status: test
 4description: |
 5    An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks.
 6    These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment.
 7    Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)    
 8references:
 9    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md
10author: frack113
11date: 2022-09-25
12modified: 2024-03-14
13tags:
14    - attack.command-and-control
15    - attack.t1219
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection:
21        - Product: 'UltraViewer'
22        - Company: 'DucFabulous Co,ltd'
23        - OriginalFileName: 'UltraViewer_Desktop.exe'
24    condition: selection
25falsepositives:
26    - Legitimate use
27level: medium

References

Related rules

to-top