attack.t1219

Suspicious Velociraptor Child Process

Oct 23, 2025 · attack.command-and-control attack.persistence attack.defense-evasion attack.t1219 ·

Detects the suspicious use of the Velociraptor DFIR tool to execute other tools or download additional payloads, as seen in a campaign where it was abused for remote access and to stage further attacks.

Remote Access Tool - TacticalRMM Agent Registration to Potentially Attacker-Controlled Server

Sep 22, 2025 · attack.command-and-control attack.t1219 attack.t1105 ·

Share on:

Detects TacticalRMM agent installations where the --api, --auth, and related flags are used on the command line. These parameters configure the agent to connect to a specific RMM server with authentication, client ID, and site ID. This technique could indicate a threat actor attempting to register the agent with an attacker-controlled RMM infrastructure silently.

Renamed Visual Studio Code Tunnel Execution

Sep 22, 2025 · attack.command-and-control attack.t1071.001 attack.t1219 ·

Share on:

Detects renamed Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Visual Studio Code Tunnel Execution

Sep 22, 2025 · attack.command-and-control attack.t1071.001 attack.t1219 ·

Share on:

Detects Visual Studio Code tunnel execution. Attackers can abuse this functionality to establish a C2 channel

Detect MeshAgent Command Execution via MeshCentral

Sep 21, 2024 · attack.command_and_control attack.t1219 ·

Share on:

Detects the use of MeshAgent to execute commands on the target host, particularly when threat actors might abuse it to execute commands directly. MeshAgent can execute commands on the target host by leveraging win-console to obscure their activities and win-dispatcher to run malicious code through IPC with child processes.

Arbitrary code execution and remote sessions via Action1 RMM

Aug 10, 2024 · attack.CommandAndControl attack.T1219 ·

Share on:

Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise --- When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"

After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. An example query of this in Splunk could be: Index="" source="" Image="*\action1_agent.exe" ParentCommandLine="runaction:0" | rex field=ParentCommandLine "(?<=Deploy_App__)(?.(?=(_1)))"

Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours ---- If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.