SplashTop Process

Jan 8, 2023 · attack.lateral_movement attack.t1133 attack.command_and_control attack.t1219 ·

Detects use of SplashTop

Sigma rule (View on GitHub)

 1title: SplashTop Process
 2id: 20b92a34-13d8-4bf0-a6d6-8c4ea8fedd40
 3status: experimental
 4description: Detects use of SplashTop
 5author: _pete_0, TheDFIRReport
 6references:
 7  - https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-
 8  - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
 9date: 2022/05/06
10modified: 2022/05/06
11logsource:
12  category: process_creation
13  product: windows
14detection:
15  selection:
16    Product|contains:
17      - 'SplashTop'
18    Description|contains:
19      - 'SplashTop'
20  condition: selection
21falsepositives:
22  - Legitimate SplashTop installation
23level: high
24tags:
25  - attack.lateral_movement
26  - attack.t1133
27  - attack.command_and_control
28  - attack.t1219

References

https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

Read More
Stolen Images Campaign Ends in Conti Ransomware

In this intrusion from December 2021, the threat actors utilized IcedID as the initial access vector. IcedID is a banking trojan that first appeared in 2017, usually, it is delivered via malspam ca…

Read More

SplashTop Process

Sigma rule (View on GitHub)

References

https://support-splashtopbusiness.splashtop.com/hc/en-us/articles/212724303-Why-does-the-Splashtop-software-show-unable-to-reach-Splashtop-servers-

Stolen Images Campaign Ends in Conti Ransomware

Related rules