SplashTop Process

Mar 18, 2025 · attack.lateral-movement attack.t1133 attack.command-and-control attack.t1219 ·

Detects use of SplashTop

Sigma rule (View on GitHub)

 1title: SplashTop Process
 2id: 20b92a34-13d8-4bf0-a6d6-8c4ea8fedd40
 3status: experimental
 4description: Detects use of SplashTop
 5author: _pete_0, TheDFIRReport
 6references:
 7    - https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-
 8    - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 9date: 2022-05-06
10modified: 2022-05-06
11logsource:
12    category: process_creation
13    product: windows
14detection:
15    selection:
16        Product|contains: 'SplashTop'
17        Description|contains: 'SplashTop'
18    condition: selection
19falsepositives:
20    - Legitimate SplashTop installation
21level: high
22tags:
23    - attack.lateral-movement
24    - attack.t1133
25    - attack.command-and-control
26    - attack.t1219

yaml

References

https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

Read More
Stolen Images Campaign Ends in Conti Ransomware

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…

Read More

SplashTop Process

Sigma rule (View on GitHub)

References

https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

Stolen Images Campaign Ends in Conti Ransomware

Related rules