Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects potential Amazon SSM agent hijack attempts as outlined in the Mitiga research report.

Read More

Detects a DNS query initiated from a "wscript" process for domains matching a specific pattern that was seen being used by SocGholish for its Command and Control traffic

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects the presence and execution of Inveigh via dropped artefacts

Read More

Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers

Read More

Detects AnyDesk writing binary files to disk other than "gcapi.dll". According to RedCanary research it is highly abnormal for AnyDesk to write executable files to disk besides gcapi.dll, which is a legitimate DLL that is part of the Google Chrome web browser used to interact with the Google Cloud API. (See reference section for more details)

Read More

Detects a tscon.exe start as LOCAL SYSTEM

Read More

Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software,to establish an interactive command and control channel to target systems within networks

Read More

Detects DNS queries to a TeamViewer domain only resolved by a TeamViewer client by an image that isn't named TeamViewer (sometimes used by threat actors for obfuscation)

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file

Read More

Detects potential RDP connection via Mstsc using a local ".rdp" file located in suspicious locations.

Read More

Detects successful installation of Atera Remote Monitoring & Management (RMM) agent as recently found to be used by Conti operators

Read More

Action1 is a powerful Remote Monitoring and Management tool that enables users to execute commands, scripts, and binaries. Through the web interface of action1, the administrator must create a new policy or an app to establish remote execution and then points that the agent is installed. Hunting Opportunity 1- Weed Out The Noise --- When threat actors execute a script, a command, or a binary through these new policies and apps, the names of these become visible in the command line during the execution process. Below is an example of the command line that contains the deployment of a binary through a policy with name "test_app_1": ParentCommandLine: "C:\WINDOWS\Action1\action1_agent.exe schedule:Deploy_App__test_app_1_1681327673425 runaction:0"

After establishing a baseline, we can split the command to extract the policy name and group all the policy names and inspect the results with a list of frequency occurrences. An example query of this in Splunk could be: Index="" source="" Image="*\action1_agent.exe" ParentCommandLine="runaction:0" | rex field=ParentCommandLine "(?<=Deploy_App__)(?.(?=(_1)))"

Hunting Opportunity 2 - Remote Sessions On Out Of Office Hours ---- If you have admins within your environment using remote sessions to administer endpoints, you can create a threat-hunting query and modify the time of the initiated sessions looking for abnormal activity.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects piping the password to an anydesk instance via CMD and the '--set-password' flag.

Read More

Detects AnyDesk Remote Desktop silent installation. Which can be used by attackers to gain remote access.

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

Detects a highly relevant Antivirus alert that reports an exploitation framework

Read More

Detects the creation of log files during a TeamViewer remote session

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Read More

TeamViewer_Desktop.exe is create during install

Read More

Detects use of AnyDesk

Read More

Detects use of SplashTop

Read More

Detects use of SplashTop

Read More

Detects the usage of tsclient share to place a backdoor on the RDP source machine's startup folder

Read More

Detects logons using NTLM to hosts that are potentially not part of the domain.

Read More